Data Processing Agreement (DPA)
Article 28 GDPR terms governing personal data that ESAGAMES processes on behalf of its customers. This DPA forms part of, and is subject to, the ESAGAMES Terms & Conditions.
1. Roles: who is responsible for what
This DPA applies where ESAGAMES HOSTING SHIELD SRL ("ESAGAMES", "we") processes personal data on behalf of a customer ("Customer", "you") in the course of providing hosting services.
For that data, you are the data controller and we are the data processor. You decide what personal data goes onto your server, why, and for how long. We do not inspect, use or determine the purposes of the content you host — we simply operate the infrastructure it runs on.
Where we process data for our own purposes — your billing details, account, support tickets, fraud prevention, network security — we act as an independent controller. That processing is governed by our GDPR Policy, not by this DPA.
This DPA is automatically incorporated into your contract when you use our services to process personal data. No signature is required for it to apply; if your organisation requires a countersigned copy, contact legal@esagames.ro.
2. Subject matter and details of the processing
| Subject matter | Provision of hosting infrastructure (game servers, web hosting, VDS, dedicated servers, voice servers, Anti-DDoS filtering) and related support. |
| Duration | For as long as the Customer's service is active, plus the retention window in section 10. |
| Nature and purpose | Hosting, storage, transmission, backup and network filtering of Customer content, strictly to deliver the service and keep it available and secure. |
| Types of personal data | Determined solely by the Customer. Typically: usernames, game/voice identifiers (e.g. Steam ID, UUID, Cfx.re identifiers), IP addresses, chat and server logs, e-mail addresses, and any data the Customer's own application or database stores. |
| Categories of data subjects | Determined solely by the Customer. Typically: the Customer's players, community members, staff, website visitors or end users. |
| Special category data | Not permitted without our prior written agreement (see section 4). |
3. Our obligations as processor
We shall:
- process personal data only on your documented instructions — your use of the service, and this DPA, constitute those instructions — unless required otherwise by EU or Member State law, in which case we will inform you unless the law prohibits it;
- ensure that personnel authorised to access personal data are bound by confidentiality;
- implement the technical and organisational measures set out in section 5 (Article 32 GDPR);
- respect the conditions on sub-processors in section 6;
- assist you, so far as is reasonably possible and taking into account the nature of the processing, with data subject requests (section 7), security, breach notification and data protection impact assessments (Articles 32–36);
- delete or return personal data at the end of the service, per section 10;
- make available the information reasonably necessary to demonstrate compliance with Article 28 and allow for audits, on the terms in section 11;
- inform you if, in our opinion, an instruction infringes the GDPR or other applicable data protection law.
We will not sell, rent, mine or otherwise exploit Customer content, and we do not access it except where strictly necessary to deliver the service, provide support you request, maintain security, or comply with a legal obligation.
4. Your obligations and warranties
You are responsible for everything you put on your server. You warrant and undertake that:
- you have a valid legal basis under Article 6 GDPR (and Article 9 where applicable) for all personal data you process using our services, and have provided all required privacy notices to your data subjects;
- your instructions to us are lawful, and your collection and use of the data does not breach any applicable law;
- you will not upload special categories of personal data (Article 9), criminal offence data (Article 10), payment card data, or data of children below the applicable age of digital consent, without our prior written agreement — our infrastructure is not offered or certified for such data by default;
- you maintain your own backups of Customer content and are responsible for your own retention and deletion schedules;
- you keep your credentials secure and are responsible for access granted to your staff, community or third parties.
Indemnity. To the maximum extent permitted by law, you shall indemnify and hold ESAGAMES harmless against any claim, fine, penalty, loss or cost (including reasonable legal fees) arising from a breach of the warranties in this section, from unlawful data you placed on our infrastructure, or from instructions you gave us that infringed applicable law.
5. Security measures (Article 32)
Taking into account the state of the art, cost, and the nature, scope, context and purposes of processing, we maintain appropriate technical and organisational measures, including:
- Physical security — carrier-grade data centres in Frankfurt, Germany, with access control, monitoring, redundant power and cooling;
- Network security — always-on multi-Tbps DDoS filtering, firewalling, network segmentation and traffic monitoring;
- Encryption — TLS for data in transit to our web and control surfaces; free SSL/TLS certificates available for Customer services;
- Access control — least-privilege administrative access, individual accounts, strong authentication, and logging of administrative actions;
- Isolation — separation between customer accounts, services and containers/virtual machines;
- Resilience & patching — monitoring, redundancy, and timely patching of the platform we operate;
- Confidentiality — personnel bound by confidentiality obligations.
These measures may evolve as technology and threats change. We may update them provided the overall level of security is not reduced. Security of anything inside your server — your application, game build, mods, plugins, CMS, database and their configuration — remains your responsibility.
6. Sub-processors
You give ESAGAMES general authorisation to engage sub-processors to help deliver the service. We impose data protection obligations on each sub-processor that are no less protective than this DPA, and we remain fully liable to you for their performance of those obligations.
Current categories of sub-processors include: data centre and network operators (Frankfurt, Germany), DDoS mitigation providers, payment processors (for billing data we control), e-mail delivery, live-chat and support tooling, and monitoring/backup providers. An up-to-date list is available on request from legal@esagames.ro.
Changes. We will inform you of any intended addition or replacement of a sub-processor with at least 30 days' notice (by e-mail or announcement). You may object on reasonable, documented data protection grounds within 14 days of that notice. If we cannot reasonably accommodate your objection, your sole and exclusive remedy is to terminate the affected service, without penalty, with a pro-rata refund of any prepaid, unused fees. Continued use of the service after the notice period constitutes acceptance.
7. Data subject requests
You are responsible for responding to requests from your data subjects (access, rectification, erasure, restriction, portability, objection). You retain full control of the data on your service and can, in the vast majority of cases, action such requests yourself through your panel, files and database.
If a data subject contacts us directly about data we process on your behalf, we will not respond substantively; we will refer them to you and, where we can identify you, inform you without undue delay.
Where you cannot fulfil a request through your own access to the service, we will provide reasonable assistance, taking into account the nature of the processing. Assistance that goes beyond our Article 28(3)(e) obligation, or that is materially burdensome, may be charged at our then-current professional services rates, notified to you in advance.
8. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf, and will provide the information reasonably available to us to assist you in meeting your own notification duties under Articles 33 and 34.
Our notification is not an acknowledgement of fault or liability. As controller, you are responsible for assessing the breach and for any notification to a supervisory authority or to data subjects. Incidents confined to your own application, configuration, mods, plugins or credentials are your responsibility, though we will assist as reasonably practicable.
9. International transfers
Customer content is hosted on infrastructure located in Frankfurt, Germany (European Union). We do not transfer Customer personal data outside the European Economic Area for the purpose of hosting it.
Where a sub-processor (for example a support or e-mail tool) would involve a transfer outside the EEA, we ensure an appropriate Article 46 safeguard is in place — typically the European Commission's Standard Contractual Clauses together with any supplementary measures required — or that the recipient is covered by an adequacy decision.
10. Deletion and return of data
On termination or expiry of a service, and unless EU or Member State law requires further storage, we will delete the personal data we process on your behalf.
You are responsible for exporting your own data before termination. After a service is terminated, data may be retained for a short grace period to allow reactivation, after which it is deleted from active systems; residual copies in routine backups are overwritten in the ordinary backup rotation. Requests to export or return data after termination may not be possible and, where they are, may be charged.
Data we hold as controller (invoices, accounting records, tickets) is retained per our GDPR Policy and applicable statutory retention periods — notably Romanian accounting and tax law.
11. Audits and information
We will make available to you the information reasonably necessary to demonstrate compliance with Article 28, and will contribute to audits, on the following terms:
- information requests and audits are limited to once per calendar year, save where a supervisory authority requires otherwise or following a confirmed breach affecting your data;
- you must give at least 30 days' written notice;
- the audit is satisfied first by our written responses, documentation and any certifications or reports we hold;
- any on-site audit must be conducted during business hours, without unreasonable disruption, subject to confidentiality, and at your cost (including our reasonable time at our then-current rates);
- audits must not compromise the security, confidentiality or availability of other customers' data — we may withhold information whose disclosure would do so.
12. Liability and precedence
Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms & Conditions (see Rule 49), which apply to this DPA as if set out here in full. Nothing in this DPA limits any liability that cannot lawfully be limited, including under Article 82 GDPR.
In case of conflict, the order of precedence is: (1) mandatory applicable data protection law; (2) this DPA, for matters concerning the processing of personal data on your behalf; (3) the Terms & Conditions; (4) any other document.
This DPA is governed by Romanian law and is subject to the jurisdiction and dispute resolution provisions of the Terms & Conditions (Rule 52).
13. Contact
Data protection and DPA queries: legal@esagames.ro
Abuse and security reports: abuse@esagames.ro
ESAGAMES HOSTING SHIELD SRL — C.U.I. 43286632 — EUID ROONRC.J23/5251/2020 — Romania. Infrastructure: Frankfurt, Germany.
Terms of Service · GDPR Policy · Cookie Policy · Contact