DATA PROCESSING ADDENDUM (DPA)

DATA PROCESSING ADDENDUM (DPA)

Effective Date: February 28, 2026

Updated: March 5th, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between:

Meta Games LLC

5441 S Macadam Ave #8134

Portland, OR 97239, USA

(“Company”, “BrickVerse” or “Controller”)

and

Any developer, advertiser, enterprise customer, or business user using BrickVerse Services (“Customer” or “Processor” where applicable).

1. Definitions

For purposes of this DPA:

• “GDPR” means Regulation (EU) 2016/679.

• “UK GDPR” means the retained EU law version of GDPR.

• “CCPA/CPRA” means the California Consumer Privacy Act as amended by the California Privacy Rights Act.

• “Personal Data” has the meaning defined under GDPR.

• “Personal Information” has the meaning defined under CCPA.

• “Processing” means any operation performed on Personal Data.

• “Standard Contractual Clauses” or “SCCs” means the European Commission Implementing Decision (EU) 2021/914.

2. Roles of the Parties

Depending on the context:

• BrickVerse acts as a Data Controller for user account data.

• BrickVerse acts as a Processor when processing Personal Data on behalf of enterprise customers, developers, or advertisers.

Where BrickVerse acts as a Processor, this DPA applies.

3. Subject Matter & Duration

Subject Matter

Processing of Personal Data necessary to provide:

• Hosting

• Platform functionality

• Account management

• Payment processing

• Moderation services

• Developer services

• Security monitoring

Duration

Processing continues for the duration of the Services unless earlier terminated.

4. Nature & Purpose of Processing

Processing includes:

• Collection

• Recording

• Storage

• Use

• Transmission

• Deletion

• Security monitoring

Purpose:

• Platform operation

• Fraud prevention

• Content moderation

• Legal compliance

• Customer support

5. Categories of Data Subjects

• End users

• Developers

• Advertisers

• Parents/guardians (for child accounts)

• Business customers

6. Categories of Personal Data

• Identifiers (email, username, IP)

• Device & log data

• Payment metadata

• User-generated content

• Security logs

• Voice data (if enabled)

• Geolocation (general region only)

Sensitive Personal Information under CPRA is not intentionally collected except as required for authentication or fraud prevention.

7. Controller Obligations

Controller represents that:

• It has obtained all required consents.

• It complies with applicable Data Protection Laws.

• It provides required notices to data subjects.

8. Processor Obligations (GDPR Article 28)

BrickVerse, when acting as Processor, shall:

1. Process Personal Data only on documented instructions.

2. Ensure confidentiality obligations for authorized personnel.

3. Implement appropriate technical and organizational measures.

4. Assist Controller in responding to Data Subject Requests.

5. Assist with GDPR Articles 32–36 compliance.

6. Delete or return Personal Data upon termination (unless legally required to retain).

7. Make available information necessary to demonstrate compliance.

9. Security Measures

BrickVerse maintains:

• Encrypted data transmission (TLS 1.2+)

• Encrypted password hashing (non-reversible)

• Encrypted 2FA secrets

• Role-based access controls

• Logging and monitoring systems

• DDoS mitigation (Cloudflare)

• Cloud redundancy (Azure/GCP)

Security measures are reviewed periodically.

10. Subprocessors

BrickVerse utilizes the following third-party service providers (“subprocessors”) to support the operation and delivery of its services.

Subprocessor Service Purposes

Subprocessors may provide services including, but not limited to:

• Cloud services and infrastructure hosting

• Artificial intelligence services utilizing large language models

• Object storage and data storage services

• Content delivery network (CDN) services

• Payment processing services

• Security, verification, and abuse prevention services

• Customer support and communication services

Use of Third-Party Service Providers

BrickVerse may engage third-party service providers to support the operation, security, and delivery of its services. These providers process data solely as necessary to perform the services they provide to BrickVerse.

Where required by applicable law, BrickVerse may update this list of subprocessors or notify customers of material changes.

11. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland:

• EU SCCs (2021/914) Module 2 or 3 apply as appropriate.

• UK International Data Transfer Addendum applies for UK transfers.

• Supplementary safeguards are implemented as required.

12. Standard Contractual Clauses (SCC Incorporation)

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference.

For transfers:

• Module 2 applies where Controller → Processor.

• Module 3 applies where Processor → Processor.

Optional Clauses:

• Clause 7 (Docking Clause): Applies.

• Clause 11 (Redress): No optional independent dispute resolution body designated.

• Clause 17 (Governing Law): Republic of Ireland.

• Clause 18 (Jurisdiction): Courts of Ireland.

Annex I, II, III details are as described in this DPA.

Annex I – Data Exporter / Importer

Exporter: Customer or BrickVerse (as applicable) Importer: BrickVerse or Subprocessor (as applicable)

Contact: [email protected]

Annex II – Technical & Organizational Measures

Includes:

• Encryption in transit and at rest (where supported)

• Access restrictions

• Logging systems

• Staff confidentiality agreements

• Security training

• Incident response procedures

Annex III – Subprocessors

See Section 10 table above.

13. CPRA Compliance Clauses

Where BrickVerse acts as a “Service Provider” or “Contractor” under CPRA:

BrickVerse:

• Shall not sell or share Personal Information.

• Shall not retain, use, or disclose Personal Information outside the business purpose.

• Shall not combine Personal Information with other data except as permitted by law.

• Shall implement reasonable security procedures.

• Shall permit audits or assessments consistent with CPRA.

Customers may take reasonable steps to ensure compliance.

14. Data Subject Requests

BrickVerse shall assist Controller in responding to:

• Access requests

• Deletion requests

• Correction requests

• Portability requests

• Objection to processing

• Restriction requests

Requests must be submitted via [email protected].

15. Data Breach Notification

In the event of a Personal Data Breach:

• BrickVerse will notify Controller without undue delay.

• Notification will include:

  • Nature of breach

  • Categories of affected data

  • Estimated number of affected individuals

  • Remediation steps taken

16. Audit Rights

Controller may request reasonable documentation demonstrating compliance.

Audits must:

• Be conducted during normal business hours.

• Not disrupt operations.

• Be subject to confidentiality.

Independent third-party security reports may satisfy audit obligations.

17. Data Deletion Upon Termination

Upon termination:

• Personal Data will be deleted or returned unless legally required to retain.

• Backup systems may retain encrypted archives temporarily per retention policy.

18. Limitation of Liability

Liability under this DPA shall follow the limitation of liability provisions in the main Services Agreement, except where prohibited by applicable law.

19. Order of Precedence

In case of conflict:

1. SCCs (where applicable)

2. This DPA

3. Terms of Service

20. Governing Law

Unless required otherwise by applicable Data Protection Law:

This DPA is governed by the laws of the State of Oregon, USA.

Where SCCs apply, governing law is as specified in Clause 17 above.