Data Processing Agreement

A DPA covers us acting as a processor for your player/user data. This page summarises what the Asobi Cloud DPA will contain; the marketing site you are reading now doesn't process your user data and doesn't need a DPA.

When this applies

Only when you host your game on Asobi Cloud (currently in closed beta). At that point you are the controller of your players' personal data; Widgrensit AB is the processor, handling storage and real-time traffic on your behalf.

If you self-host the open-source Asobi library, you remain the sole controller and processor — no DPA is needed with us because we never see your data.

Scope

  • Player accounts, sessions, and identifiers.
  • Match state, chat, voting, and presence data.
  • Wallet / inventory / IAP receipt metadata (not payment card data — IAP is via platform stores; no card data touches Asobi).
  • Aggregated telemetry we need to run the service.

Sub-processors

EU-only, minimal list. Any addition will be notified in advance with an objection window.

  • Clever Cloud (France) — compute, managed Postgres, S3-compatible object storage.
  • Hetzner or equivalent EU provider (Germany, Finland) — fallback compute region if required for capacity.
  • Apple / Google (US) — only for in-app purchase receipt validation at the platforms that run your game. This is a lawful necessity for validating purchases; no player PII leaves the EU through this path beyond what Apple/Google already hold for their own billing.

Location

All regular processing in the EU. Primary region: Clever Cloud Paris. Backups remain in the EU.

Security

  • TLS 1.2+ in transit.
  • At-rest encryption for Postgres and object storage.
  • Role-based access for operators; all access logged.
  • Erlang/OTP process isolation — one crashed match cannot read another match's state.
  • Breach notification: within 72 hours of discovery, per GDPR Art. 33.

Data export and deletion

  • Player-level export and erasure on request (forwarded from controller to processor).
  • Account-level: at end of contract, data is returned in a portable format and deleted within 30 days.

Standard Contractual Clauses

Where any transfer to a non-adequate country would occur (currently limited to IAP receipt validation, which is initiated by the platforms themselves), we rely on the EU Commission's SCCs per Decision 2021/914.

Request a copy of the draft DPA

Beta participants and evaluators can email dpa@asobi.dev. The finalised, countersignable DPA will publish here when Asobi Cloud enters general availability.