Data Processing Addendum
Dracobyte LLC | Dracobyte | Effective April 20, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Dracobyte LLC ("Dracobyte") for the processing of personal data of the Customer's end users (such as players on the Customer's Minecraft server) where Customer is the controller and Dracobyte acts as processor. To incorporate this DPA, the Customer must execute the acceptance form linked at the legal page or include reference to this DPA in a signed order form.
1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR. "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings set out in Article 4 GDPR. "Subprocessor" means any third party engaged by Dracobyte to Process Customer Personal Data.
2. Scope and Roles
Customer determines the purposes and means of processing Customer Personal Data and is the Controller. Dracobyte Processes Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country. The instructions are set out in this DPA, the Terms of Service, the Privacy Policy, and any subsequent written instruction.
3. Subject Matter, Duration, Nature, and Purpose
| Element | Description |
|---|---|
| Subject matter | Hosting of Customer's Minecraft server and provision of related Service features |
| Duration | For the term of the agreement plus any retention required for legal or backup purposes |
| Nature and purpose | Hosting, storage, security, support, and operational improvement |
| Categories of data subjects | Customer's end users and any other persons whose data Customer chooses to process via the Service |
| Categories of personal data | Identifiers (such as usernames, IP addresses), in-game activity data, chat content stored by Customer, and any data Customer chooses to store on the server |
| Special categories | None expected; Customer must not store special category data without prior written agreement |
4. Dracobyte Obligations
- Process Customer Personal Data only on Customer's documented instructions and as required by law.
- Ensure persons authorized to process Customer Personal Data are subject to confidentiality obligations.
- Implement appropriate technical and organizational measures ("TOMs"), described in Annex II below.
- Assist Customer with Data Subject requests, by appropriate technical and organizational measures.
- Assist Customer in ensuring compliance with security, breach notification, data protection impact assessments, and prior consultation under Articles 32 to 36 GDPR.
- At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law.
- Make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, subject to reasonable notice and confidentiality.
Deletion timeframe. Where Customer instructs Dracobyte to delete Customer Personal Data, Dracobyte will complete the deletion of such data from active production systems within thirty (30) days following receipt of a verified instruction, and will overwrite or expire corresponding entries in operational backups in the normal backup rotation within a further ninety (90) days. Data retained for legal, accounting, or dispute-resolution purposes is held only for the minimum period required and is isolated from active processing.
5. Subprocessing
Customer authorizes Dracobyte to engage subprocessors to Process Customer Personal Data. Dracobyte will:
- Maintain a list of subprocessors at the legal page and provide notice of new or replacement subprocessors at least thirty days in advance.
- Impose data protection terms on each subprocessor that are at least as protective as this DPA.
- Remain liable to Customer for the acts and omissions of its subprocessors to the same extent Dracobyte would be liable if performing the services directly.
- Allow Customer to object on reasonable grounds to a new subprocessor; if the parties cannot agree on a resolution, Customer may terminate the affected services without penalty.
6. International Transfers
To the extent that the provision of the Service involves the transfer of Customer Personal Data from the EEA, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, the parties agree that the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), together with the UK International Data Transfer Addendum where applicable, are incorporated into this DPA by reference. Annex I and Annex II below are deemed to populate the SCC annexes.
Module selection. Where Dracobyte acts as Processor to Customer's Controller, Module Two (Controller to Processor) applies. Where Dracobyte onward-transfers Customer Personal Data to a Subprocessor that itself acts as a processor, Module Three (Processor to Processor) applies between Dracobyte and that Subprocessor and is incorporated by reference between the parties for the limited purpose of documenting the onward-transfer chain. In all cases, Clause 7 (Docking Clause) is not selected, Clause 9(a) option 2 (general written authorization) is selected with the notice period described in Section 5, Clause 11(a) optional redress language is not selected, and Clause 17 governing law and Clause 18 forum are populated by reference to Annex I.
7. Personal Data Breach
Dracobyte will notify Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent available, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.
Notification channel. Notification will be sent by email to the designated security contact that Customer provides at onboarding or updates in the control panel. If Customer has not designated a security contact, notification will be sent to the billing email of record, with a courtesy copy to privacy@dracobyte.pro on the Dracobyte side to record the dispatch. Customer is responsible for keeping its designated contact current. A secondary telephone or secure messaging escalation may be used for critical incidents where email delivery is not confirmed.
Follow-up notifications will be provided as additional information becomes available. Initial notification will not be delayed pending a complete investigation.
8. Audits
Customer may, no more than once per year and at Customer's expense, audit Dracobyte's compliance with this DPA, on reasonable prior written notice, during normal business hours, and subject to confidentiality obligations. Where available, Dracobyte may satisfy this obligation by providing third-party audit reports (such as SOC 2) or self-assessments in lieu of an on-site audit.
9. Term and Termination
This DPA continues in effect for as long as Dracobyte Processes Customer Personal Data. On termination of the Service, Dracobyte will delete or return Customer Personal Data as instructed and permitted by law.
10. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability set out in the Terms of Service.
11. Governing Law
This DPA is governed by the law specified in the Terms of Service, except that the SCCs and the UK Addendum are governed by the laws specified in those instruments.
Annex I. Description of the Processing
A. List of Parties
Data exporter: Customer, as identified in the order form. Data importer: Dracobyte LLC, Dracobyte LLC, Illinois, USA. For service of process, contact support@dracobyte.pro to obtain the current registered mailing address.. EU Representative (where applicable): Dracobyte LLC does not currently offer the Service to residents of the European Economic Area and has not appointed a representative under GDPR Article 27. EU residents may contact support@dracobyte.pro; this notice will be updated if EU targeting changes.. UK Representative (where applicable): Dracobyte LLC does not currently offer the Service to residents of the United Kingdom and has not appointed a representative under the UK GDPR. UK residents may contact support@dracobyte.pro; this notice will be updated if UK targeting changes..
B. Description of Transfer
- Categories of data subjects: as described in Section 3.
- Categories of personal data: as described in Section 3.
- Sensitive data: none expected; see Section 3.
- Frequency of transfer: continuous, on a per-event basis during the use of the Service.
- Nature of the processing: hosting, storage, security, and support as described in this DPA.
- Purpose of the processing: provision of the Service to Customer.
- Period of retention: as described in Section 4 of this DPA (thirty (30) days active deletion window with backup purge within a further ninety (90) days) and in the Privacy Policy for Dracobyte controller-held data.
- Recipients (subprocessors): as listed at the legal page.
C. Competent Supervisory Authority
For the EEA, the supervisory authority of the EU Member State where the EU Representative is established, or where no Representative is required, the supervisory authority of the EU Member State where the data subjects whose Personal Data is transferred are located. For the United Kingdom, the UK Information Commissioner's Office.
Annex II. Technical and Organizational Measures
- Encryption in transit using TLS 1.2 or higher for all endpoints exposed to the public internet. HTTP Strict Transport Security (HSTS) is enforced on all customer-facing web properties.
- Encryption at rest for backups and offline media using AES-256 or an equivalent modern, industry-standard algorithm. Key management follows documented rotation, access-separation, and revocation procedures.
- Encryption at rest for primary production volumes is applied by default on any storage tier that supports it. Any tier that does not support at-rest encryption is excluded from storing Customer Personal Data.
- Access controls based on least privilege, with role-based access for administrative systems and multi-factor authentication for privileged accounts.
- Network segmentation between tenant workloads and administrative planes, with egress filtering for administrative systems.
- Audit logging of administrative access to systems that process Customer Personal Data, retained for twelve (12) months and longer where required by an active investigation or legal hold.
- Regular vulnerability scanning and prompt patching of underlying infrastructure. Critical vulnerabilities are addressed on a time-bounded remediation schedule tracked in an internal register.
- Background screening of employees with access to production systems, where permitted by law.
- Documented incident response and breach notification procedures, with annual tabletop exercises.
- Employee training on data protection and security at onboarding and at least annually thereafter.
- Disaster recovery procedures, including operational snapshots and regular restoration tests.
Annex II.A. Customer-Initiated Penetration Testing
Customer may conduct, or retain a qualified third party to conduct, non-destructive penetration testing limited to Customer's own tenant of the Service, subject to the following requirements: (i) Customer provides at least fifteen (15) business days prior written notice to legal@dracobyte.pro describing the scope, timing, source IP addresses, and tester identity; (ii) testing is scheduled during a mutually agreed window; (iii) testing does not target infrastructure shared with other customers, does not use denial-of-service techniques or volumetric fuzzing, and does not attempt to access another customer's data; (iv) Customer shares findings with Dracobyte on a reasonable timeline and cooperates with remediation coordination; and (v) Customer is responsible for the conduct of its testers and agrees to indemnify Dracobyte for damages arising from out-of-scope activity. Dracobyte may suspend testing that threatens the stability or security of the shared infrastructure.
Annex III. List of Subprocessors
The current list of subprocessors is maintained at the Service's legal page. The list includes name, location, and the processing activity performed by each subprocessor. The current categories include data center, content delivery and security network (Cloudflare), payment processor, transactional email provider, and ticketing system.
Signature
To execute this DPA, Customer should send a signed copy or acceptance to legal@dracobyte.pro or use the click-through mechanism on the Service's legal page. Dracobyte's counter-signature is the publication of this DPA on the legal page. Privacy contact: privacy@dracobyte.pro.