Skip to main content

Last updated: 8 September 2021

Metacore Games Ltd - Data Processor Terms For Vendors

This document “Data Processor Terms for Vendors” (“DPA”) is an integral part of the Sourcing Agreement executed between Metacore and Vendor.


  • Controller”, “processor”, “data subject”, “personal data”, and “processing” (and any other forms of “process”) have the meaning given to them in Applicable Data Protection Law. Where applicable, personal data shall be deemed to include “personally identifiable information”.
  • Applicable Data Protection Law” means any law, rule, or statute governing processing, use or disclosure of personal data or personally identifiable information including, but not limited to Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) together with any applicable implementing legislation.
  • Model Clauses” means the standard contractual clauses adopted by the European Commission with its decision 2021/94 on standard contractual clauses for the transfer of personal data to third countries, as may be amended or replaced from time to time.


  • Appointment. Metacore as the controller appoints the Vendor as a processor to process personal data relating to Metacore’s end users and other separately agreed data subjects while providing the Services, but in any case, solely for Metacore´s benefit and not the Vendor or a third party. Vendor will act as a "Service Provider" as the term is defined in the California Consumer Privacy Act (“CCPA”). Neither the Vendor or its subcontractors shall sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Metacore´s personal data to any third party in a way that would constitute "selling" as the term is defined by the CCPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
  • Scope of Processing. The Vendor shall process personal data solely as follows: (a) the subject matter, nature, and purpose of processing shall comprise the processing operations necessary for the performance of Vendor´s obligations pursuant to the Agreement in accordance with Metacore´s documented instructions (“Purpose”); (b) the duration of the processing shall correspond to the term of the Agreement; and (c) the types and categories of personal data are limited to personal data related to Metacore’s end users or other data separately agreed upon, processed in the course of providing the Services (“Data”). The Vendor shall not process the Data except for the Purpose.
  • Confidentiality of Processing. The Vendor shall ensure that: (a) any person it authorizes to process the Data is subject to a strict duty of confidentiality (whether contractual or statutory) with respect to such processing; and (b) all such persons process the Data solely as necessary for the Purpose.
  • Data Transfers. If the Vendor processes the Data outside of the European Economic Area and the territories which the European Commission has, at the time of the Initial Transfer (as defined below), designated as providing adequate protection for personal data, the Parties agree that the Model Clauses apply to the transfer of personal data from Metacore to the Vendor (the “Initial Transfer”) and that the Model Clauses are hereby deemed executed between the Parties by this reference and incorporated herein as an integral part of this DPA. Of the model Clauses, specifically module two “transfer controller to processor” is applied to this DPA. For the purposes of the Model Clauses: (a) Metacore shall be data exporter; (b) the Vendor shall be data importer; and (c) the data subjects, categories of data, special categories of data (if any), processing operations, and the technical and organizational measure implemented by the data importer shall be those specified in this DPA. In case of any conflict or discrepancy between the Model Clauses and this DPA, the Model Clauses will control. If the Vendor transfers the Data to a Sub-processor (as defined below) outside of the EEA and the territories which the European Commission has designated as providing adequate protection for personal data, the Vendor shall ensure that appropriate safeguards have been provided for such transfer of the Data as required by the Applicable Data Protection Law.
  • Sub-Processors. The Vendor shall not subcontract any processing of the Data to any third party (including any Affiliate of the Vendor) (each a “Sub-processor”) without Metacore´s prior written consent. Metacore agrees to consent to the Vendor´s Sub-processor, provided that: (a) the Vendor provides at least 30 days’ prior notice to Metacore of the addition of the Sub-processor (together with a description of the processing the Sub-processor shall perform); (b) before the Sub-processor starts processing the Data, the Vendor carries out adequate due diligence to ensure that the Sub-processor is able to guarantee an adequate level of protection for the Data as required by the Applicable Data Protection Law; (c) the Vendor engages the Sub-processor to process the Data on written terms substantially the same as those in this DPA; and (d) the Vendor remains fully liable for any breach of this DPA caused by an act, error, or omission of its Sub-processor. If Metacore reasonably disagrees with the Vendor´s engagement of any Sub-processor and the Vendor refuses to not use such Sub-processor for the processing of the Data, Metacore shall have the right to terminate this DPA and the Agreement with immediate effect without incurring any liability. The Vendor shall maintain a complete and accurate list of its Sub-processors and shall provide or make available to Metacore a current copy of such list upon Metacore´s request.
  • Data Subject Requests. The Vendor shall at its own cost provide to Metacore all reasonable and timely assistance to enable Metacore to respond to: (a) any request from a data subject to exercise any of their statutory rights (including the rights of access, rectification, erasure, objection, restriction, and data portability, as applicable); or (b) any other enquiry, complaint, or other communication received from a data subject, supervisory authority, or other third party relating to the processing of the Data. If any such request, enquiry, complaint, or other communication is made directly to the Vendor, the Vendor shall promptly inform Metacore thereof and provide full details of the same.
  • Data Security. The Vendor will maintain appropriate technical and organizational measures to protect the Data from accidental or unlawful destruction, loss, or alteration as well as unauthorized disclosure or access (each a “Security Incident”). Such measures will reflect the state of the art, with due regard to the risks of varying likelihood and severity for the rights and freedoms of natural persons, the costs of implementation, and the nature, scope, context and purposes of processing. If the Vendor becomes aware of a Security Incident, the Vendor will immediately (and in no case later than 48 hours) inform Metacore thereof and at its own cost provide all necessary and timely information and assistance that Metacore may require to investigate, remedy or mitigate the effects of, or to fulfill its notification and documentation obligations with respect to the Security Incident within the timeframes prescribed by Applicable Data Protection Law.
  • Data Retention. Upon termination or expiration of the Agreement or upon Metacore´s request, the Vendor shall, at Metacore´s election and following Metacore´s instructions, destroy or return to Metacore all Data and copies thereof in its possession or control. The Vendor may retain the Data or part thereof as required by applicable laws and regulations of the European Union or any member state thereof, if the Vendor isolates and protects the Data from any further processing except as strictly required for compliance with such laws and regulations.
  • Audit Rights. Metacore or its designated third-party auditor shall have the right, at Metacore´s own expense, at any time during normal business hours and upon five calendar days’ prior notice (or any shorter notice as required by a supervisory authority), to audit the Vendor´s compliance with this DPA. The Vendor shall make available all information, systems, and personnel necessary for Metacore to conduct such audit
  • Indemnification. The Vendor agrees to indemnify, defend and hold harmless Metacore and each of its officers, directors, employees, subcontractors, representatives and agents from any and all damages, actions, third-party claims, liabilities, costs and expenses, including reasonable attorneys' fees and expenses resulting from such actions or claims, arising out of or relating to: (i) a Security Incident; (ii) the Vendor´s negligence or willful misconduct related to Data; and/or (iii) the Vendor´s breach of this DPA.