Data Processing Agreement

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "personal data breach" have the meanings given to them in the GDPR. "Data Template" means the Google Sheet (or equivalent) completed by the Controller after payment, containing personal data about the Controller's employees and, where applicable, others.

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely for the purpose of designing, producing and delivering the custom Cardworks game ordered by the Controller, as further described in the Cardworks Privacy Policy and the order confirmation.

This DPA takes effect when the Controller submits the Data Template and remains in effect for as long as the Processor processes personal data on the Controller's behalf, including any period needed to handle reorders or respond to after-sales requests, after which it terminates automatically without prejudice to clause 8 (Return and deletion of data).

3. Nature and purpose of processing

The processing consists of receiving, storing, and using the personal data in the Data Template to generate card artwork, statistics, and effects, and to produce the rulebook, packaging, and printed materials for the Controller's order.

4. Categories of data subjects and personal data

Categories of data subjects:

• Employees of the Controller (and, where the Controller chooses to include them, other individuals such as contractors or clients featured on cards)

Categories of personal data:

• Full name and job title
• Two selected personality traits (playful, subjective labels chosen by the Controller for use in the game)
• A photograph, or details for a custom illustrated avatar
• Names and descriptions of locations, teams, processes, clients and events, where these relate to identifiable individuals

The Controller determines which personal data is included in the Data Template and confirms it has a valid legal basis for sharing this data with the Processor.

5. Processing only on instructions

The Processor shall process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Dutch law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

The Controller's instructions for this DPA are limited to: (a) the Data Template and any accompanying written communication; and (b) the processing activities described in clauses 2 and 3 above. Any additional or different processing must be agreed between the Parties in writing.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

6. Confidentiality

The Processor shall ensure that any person authorised to process the personal data is bound by an appropriate duty of confidentiality, whether contractual or statutory.

7. Security of processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk to data subjects, the Processor shall implement appropriate technical and organisational measures, including:

• Limiting access to the Data Template and order data to the people involved in producing the relevant order
• Not making links to the Data Template publicly accessible, and sharing them only with the Controller and authorised sub-processors
• Using reputable service providers (such as Typeform and Google Workspace) that maintain their own appropriate security standards
• Deleting personal data in accordance with clause 8 once it is no longer needed

8. Return and deletion of data

Upon completion of the agreed processing services, or earlier at the Controller's written request, the Processor shall delete the personal data in the Data Template, including employee photos, unless EU or Dutch law requires storage of that personal data.

Unless the Controller requests otherwise, the Processor will retain the Data Template for up to 12 months after delivery of the order to facilitate any reorders, after which it will be deleted. This does not affect the separate retention of invoicing and order administration data as described in the Cardworks Privacy Policy.

9. Sub-processors

The Controller grants the Processor general written authorisation to engage the following sub-processors in connection with the processing described in this DPA:

• Typeform for collection of initial order details
• Google (Google Workspace / Google Sheets) for receipt and storage of the Data Template
• The Processor's printing and production partners for manufacturing of the ordered cards, box and rulebook

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within a reasonable period. The Processor shall impose on any sub-processor the same data protection obligations as set out in this DPA, and remains fully liable to the Controller for the performance of that sub-processor's obligations.

Where a sub-processor is located outside the European Economic Area, the Processor shall ensure that an appropriate transfer mechanism recognised under the GDPR (such as the European Commission's Standard Contractual Clauses) is in place.

10. Assistance with data subject rights

Taking into account the nature of the processing, the Processor shall assist the Controller, insofar as reasonably possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under the GDPR (such as access, rectification, erasure, restriction, or objection).

If the Processor receives a request directly from a data subject relating to personal data processed on behalf of the Controller, it shall inform the data subject that the Controller is the responsible party, and shall promptly forward the request to the Controller without responding to it substantively, unless otherwise required by law.

11. Personal data breaches

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of a personal data breach affecting personal data processed under this DPA. The notification shall describe, to the extent known at the time, the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

The Processor shall provide reasonable cooperation and information to enable the Controller to comply with its own notification obligations under Articles 33 and 34 of the GDPR.

12. Audits and information

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to reasonable audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, provided that such audits are conducted on reasonable notice, during business hours, and in a manner that does not unreasonably disrupt the Processor's business or compromise the confidentiality of other customers' data.

13. Liability, governing law and order of precedence

Liability for breaches of this DPA is governed by the liability provisions of the underlying agreement between the Parties (the Cardworks order and Terms and Conditions), except where the GDPR provides for specific liability of a processor that cannot be limited or excluded by agreement.

This DPA is governed by the laws of the Netherlands. In the event of any inconsistency between this DPA and the rest of the agreement between the Parties, this DPA prevails with respect to the processing of personal data.