Data Processing Agreement

Last updated: October 1, 2025

This DPA governs the processing of personal data when Mamba Host acts as a processor on behalf of customers who are data controllers.

1) Introduction & Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Asmar Media Group LLC d/b/a Mamba Host ("Processor," "we," "us") and you ("Controller," "Customer," "you") when you use our Services to process personal data.

This DPA applies when:

  • You determine the purposes and means of processing personal data using our Services
  • We process personal data on your behalf as part of providing the Services
  • The processing is subject to data protection laws including GDPR, UK GDPR, CCPA/CPRA, or similar regulations

By using our Services to process personal data, you agree to this DPA.

2) Definitions

  • "Customer Personal Data" means any personal data that you upload, submit, or otherwise process using our Services, excluding Mamba Host Account Data.
  • "Data Protection Laws" means all applicable laws relating to privacy and data protection, including GDPR, UK GDPR, CCPA/CPRA, and their implementing regulations.
  • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
  • "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in applicable Data Protection Laws.
  • "Standard Contractual Clauses" or "SCCs" means the EU Commission's standard contractual clauses for international data transfers.

3) Roles & Responsibilities

You as Controller: You are the data controller who determines the purposes and means of processing Customer Personal Data. You are responsible for:

  • Ensuring you have a lawful basis for processing under Data Protection Laws
  • Providing required notices and obtaining necessary consents from data subjects
  • Ensuring data accuracy and appropriateness for your purposes
  • Responding to data subject requests (we will assist as described below)
  • Compliance with all applicable Data Protection Laws

We as Processor: We process Customer Personal Data solely on your documented instructions (as set forth in your use of the Services and this DPA). We will not process Customer Personal Data for our own purposes or disclose it to third parties except as permitted by this DPA or required by law.

4) Processing Instructions

Your instructions for processing are documented in:

  • Your use of the Services through the control panel and API
  • The Terms of Service and this DPA
  • Any written instructions you provide via support tickets or email

We will process Customer Personal Data only in accordance with these documented instructions unless required to process by applicable law (in which case we will notify you unless legally prohibited).

If we determine that an instruction violates Data Protection Laws, we will promptly inform you and may suspend processing until you modify the instruction.

5) Nature & Purpose of Processing

Subject Matter: Provision of game server hosting, VPS hosting, and related infrastructure services.

Duration: For the term of your Services subscription and the retention period specified in Section 14.

Nature of Processing: Storage, retrieval, transmission, organization, and deletion of Customer Personal Data as necessary to provide the Services.

Purpose: To provide, maintain, secure, and support the Services as contracted.

Categories of Data Subjects: As determined by you, potentially including your players, users, community members, employees, or customers.

Types of Personal Data: As determined by you, potentially including names, usernames, email addresses, IP addresses, game activity logs, chat logs, uploaded files, or other data you collect via the Services.

6) Sub-processors

You authorize us to engage sub-processors to assist in providing the Services. Our current sub-processors are listed on our Subprocessor List.

Sub-processor Requirements:

  • We ensure sub-processors are bound by written agreements requiring data protection standards no less protective than this DPA
  • We remain liable to you for sub-processors' processing of Customer Personal Data
  • Sub-processors are engaged only for specific, limited purposes consistent with providing the Services

Changes to Sub-processors:

  • We will update the Subprocessor List at least 30 days before engaging new sub-processors
  • We will notify you via email when the list is updated
  • You may object to a new sub-processor within 30 days by emailing privacy@mambahost.com
  • If you object and we cannot accommodate your objection, you may terminate the affected Services for a pro-rata refund of prepaid fees

7) Security Measures

We implement appropriate technical and organizational measures to protect Customer Personal Data, including:

Technical Measures:

  • Encryption in transit (TLS 1.2+) for data transmission
  • Encryption at rest for storage systems
  • Network segmentation and firewalling
  • Intrusion detection and prevention systems
  • Regular security patching and updates
  • Secure access controls and authentication (including MFA)

Organizational Measures:

  • Access limited to authorized personnel on a need-to-know basis
  • Confidentiality obligations for all personnel
  • Background checks for personnel with data access
  • Regular security training and awareness programs
  • Incident response and breach notification procedures
  • Annual third-party security assessments

We will not materially decrease the overall security of the Services during your subscription term.

8) Data Subject Rights

We will provide reasonable assistance to enable you to respond to data subject requests (access, rectification, erasure, restriction, portability, objection) considering the nature of processing.

Our assistance includes:

  • Providing control panel tools for you to access, modify, or delete Customer Personal Data
  • Responding to your written requests for assistance within 10 business days
  • Making available information necessary to demonstrate compliance with this DPA

If we receive a data subject request directly, we will forward it to you within 5 business days unless legally required to respond ourselves.

9) Personal Data Breaches

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data.

Our notification will include, to the extent available:

  • Description of the nature of the breach
  • Categories and approximate number of affected data subjects and records
  • Name and contact information of our data protection officer or point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

We will provide reasonable cooperation to help you meet your breach notification obligations under Data Protection Laws.

10) Audits & Inspections

We will make available to you information reasonably necessary to demonstrate compliance with this DPA, including:

  • Annual SOC 2 Type II reports (or similar third-party certifications)
  • Security documentation and policies (subject to confidentiality)
  • Responses to reasonable compliance questionnaires (up to 1 per year)

You may conduct audits or inspections, provided:

  • You provide at least 30 days' written notice
  • Audits occur no more than once per year (unless required by Data Protection Laws or in response to a breach)
  • Audits are conducted during business hours and do not unreasonably interfere with operations
  • You and your auditors sign our standard confidentiality agreement
  • You bear all costs associated with the audit

11) International Transfers

Customer Personal Data may be processed in the United States and other jurisdictions where we or our sub-processors maintain facilities.

EU/EEA and UK Transfers:

  • For transfers of personal data from the EU/EEA or UK to countries without an adequacy decision, the Standard Contractual Clauses (Module 2: Controller-to-Processor) are hereby incorporated by reference
  • In case of conflict between this DPA and the SCCs, the SCCs prevail
  • We implement supplementary measures as needed for lawful transfers

Governing Law for SCCs: The laws of Ireland (for EU/EEA transfers) or England and Wales (for UK transfers).

Supervisory Authority: The supervisory authority in your Member State or the Irish Data Protection Commission (for EU transfers) or UK ICO (for UK transfers).

12) Confidentiality

We ensure that all personnel authorized to process Customer Personal Data:

  • Are subject to binding confidentiality obligations
  • Receive appropriate training on Data Protection Laws and security
  • Access Customer Personal Data only as necessary to provide the Services

13) Return or Deletion of Data

Upon termination of your Services or upon your written request, we will:

  • Provide you 14 days to export Customer Personal Data via the control panel
  • Delete all Customer Personal Data from our production systems within 30 days of termination
  • Delete all Customer Personal Data from backups within 90 days of termination

We may retain limited data as required by applicable law (e.g., tax records, audit logs) or for legitimate business purposes (e.g., billing disputes). Retained data will continue to be protected under this DPA.

14) Retention Period

We retain Customer Personal Data for:

  • Active subscription: Duration of your Services subscription
  • Post-termination: 14 days for data export, then deleted per Section 13
  • Legal requirements: As required by law (typically 7 years for financial records)
  • Backup copies: Maximum 90 days in encrypted backups

15) Data Protection Officer

For questions about data processing or this DPA, contact:

Data Protection Contact
Asmar Media Group LLC
Attn: Privacy & Data Protection
Email: privacy@mambahost.com

16) CCPA/CPRA Addendum (California)

When we process California Consumer Personal Information on your behalf as a "service provider" or "contractor" under the CCPA/CPRA, we agree that:

  • We will not sell or share Customer Personal Data
  • We will not retain, use, or disclose Customer Personal Data except as necessary to provide the Services or as otherwise permitted by the CCPA/CPRA
  • We will not combine Customer Personal Data with personal information we receive from other sources
  • We certify that we understand these restrictions and will comply with them

17) Liability & Indemnification

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.

You will indemnify us against claims arising from:

  • Your violation of Data Protection Laws
  • Your processing instructions that violate Data Protection Laws
  • Claims by your data subjects where you failed to meet your controller obligations

18) Term & Termination

This DPA takes effect when you first use our Services to process personal data and continues until:

  • Termination of all Services subscriptions, plus the retention period in Section 14
  • You cease processing all Customer Personal Data using our Services

Sections relating to confidentiality, deletion, liability, and dispute resolution survive termination.

19) Order of Precedence

In case of conflict:

  1. Standard Contractual Clauses (for EU/UK transfers)
  2. This DPA
  3. Terms of Service

20) Changes to This DPA

We may update this DPA to reflect:

  • Changes in Data Protection Laws
  • Guidance from supervisory authorities
  • Changes to our data processing practices

Material changes will be notified at least 30 days in advance via email. Continued use after changes constitutes acceptance.

21) Governing Law & Jurisdiction

Except where the SCCs apply (which have their own governing law provisions), this DPA is governed by the laws specified in the Terms of Service.

Related Documents

Contact

Email: privacy@mambahost.com • Legal: legal@mambahost.com