SForest

Data Processing Addendum

Last Updated: January 1, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement(s) between SLUMBERING FOREST LLC, a company incorporated under the laws of the State of Washington, United States (“Company” or “Processor”), and the counterparty accepting this DPA (“Merchant” or “Controller”).

This DPA applies where Company processes Personal Data on behalf of Merchant in connection with the Services.

1. Definitions

For purposes of this DPA:

  • “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data, including but not limited to:
    • EU GDPR (Regulation (EU) 2016/679)
    • UK GDPR
    • California Consumer Privacy Act, as amended by the CPRA (“CCPA/CPRA”)
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” has the meaning given under GDPR.
  • “Sub-processor” means any third party engaged by Company to process Personal Data.

2. Roles of the Parties

  1. Merchant acts as the Controller (or “Business” under CCPA/CPRA).
  2. Company acts as the Processor (or “Service Provider” under CCPA/CPRA).
  3. Each party shall comply with its respective obligations under Applicable Data Protection Laws.

3. Scope and Purpose of Processing

3.1 Subject Matter

Processing of Personal Data for the purpose of providing game publishing, distribution, payment processing, and related services.

3.2 Duration

Processing shall continue for the term of the underlying agreement unless otherwise required by law.

3.3 Nature of Processing

Collection, storage, transmission, hosting, payment facilitation, fraud prevention, and customer support.

3.4 Categories of Data Subjects

  • End users (adult users aged 18+)
  • Merchant personnel and representatives

3.5 Types of Personal Data

  • Account identifiers (email, user ID)
  • Transaction and payment metadata
  • Device and technical identifiers
  • Merchant business contact data

No intentional processing of minors’ data.

4. Processor Obligations

Company shall:

  1. Process Personal Data only on documented instructions from Merchant;
  2. Ensure personnel are bound by confidentiality obligations;
  3. Implement appropriate technical and organizational security measures;
  4. Assist Merchant, to the extent legally required, with:
    • Data subject requests
    • Data protection impact assessments
    • Regulatory inquiries
  5. Notify Merchant without undue delay of any Personal Data Breach, where required by law.

5. Sub-processors

  1. Merchant authorizes Company to engage Sub-processors.
  2. Company shall maintain contractual safeguards with Sub-processors.
  3. A current list of Sub-processors shall be made available upon request.
  4. Company remains responsible for Sub-processors’ compliance.

6. International Data Transfers

Personal Data may be processed in the United States or other jurisdictions.

Where required:

  • Transfers shall rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.
  • Merchant authorizes such transfers.

7. Data Subject Rights

Company shall reasonably assist Merchant in responding to requests for Access, Deletion, Correction, Restriction or objection, and Data portability.

Company shall not respond directly to data subjects unless legally required.

8. Data Retention & Deletion

Upon termination of Services, Company shall, at Merchant’s choice and where legally permissible:

  • Delete Personal Data; or
  • Return Personal Data to Merchant.

Company may retain Personal Data as required by applicable law.

9. Security Measures

Company maintains commercially reasonable safeguards, including:

  • Access controls
  • Encryption in transit and at rest (where appropriate)
  • Incident response procedures
  • Regular security assessments

10. CCPA / CPRA Compliance (U.S.-Specific)

Company represents and warrants that:

  1. It acts as a Service Provider;
  2. It does not sell or share Personal Data;
  3. It does not retain, use, or disclose Personal Data outside the scope of providing Services;
  4. It will not combine Personal Data with other data except as permitted by law.

11. Audits

Upon reasonable written request and subject to confidentiality obligations, Company shall provide information necessary to demonstrate compliance with this DPA.

On-site audits are limited to:

  • Once per year
  • During normal business hours
  • At Merchant’s expense

12. Liability

This DPA does not expand either party’s liability beyond what is set forth in the underlying agreement.

13. Governing Law & Dispute Resolution

13.1 Governing Law

This DPA shall be governed by the laws of the State of Washington, USA, without regard to conflict-of-law principles.

13.2 Dispute Resolution

Any dispute arising out of or relating to this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Terms of Service, including binding arbitration where applicable.

14. Order of Precedence

In the event of conflict:

  1. This DPA
  2. The applicable Merchant Agreement
  3. Terms of Service

15. Execution

This DPA is effective upon Merchant’s acceptance of the applicable agreement or continued use of the Services.