Userplay is launching soonGet Started
Userplay
Discord0.8kGet Started

Legal

Data Processing Addendum

Last updated May 31, 2026

Last updated: May 31, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between the Customer (“Customer”) and Userplay (“Userplay”) for use of the Userplay service (“Service”). It applies to the processing of Personal Data by Userplay on behalf of the Customer in connection with the Service.

In the event of any conflict between this DPA and the main agreement, this DPA controls with respect to processing of Personal Data.

1. Definitions#

  • “Personal Data” has the meaning given in applicable Data Protection Law and refers to information relating to an identified or identifiable natural person that Userplay processes on the Customer’s behalf in connection with the Service.
  • “Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the agreement, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and equivalent laws in other jurisdictions.
  • “Controller,” “Processor,” “Data Subject,” “Processing” have the meanings given in Data Protection Law.
  • “Subprocessor” means any third party engaged by Userplay to process Personal Data on its behalf in connection with the Service.

2. Roles#

For Personal Data processed in connection with the Service, the Customer is the Controller and Userplay is the Processor.

For Personal Data Userplay processes on its own behalf (for example, the Customer’s billing contacts and Userplay’s marketing relationship with the Customer), Userplay is the Controller; that processing is governed by the Privacy Policy, not this DPA.

3. Scope and Instructions#

Userplay processes Personal Data only to provide the Service in accordance with the Customer’s documented instructions, including:

  1. The configuration choices the Customer makes within the Service (capture toggles, AI processing toggle, retention settings, integrations).
  2. The terms of the main agreement and this DPA.
  3. Any additional written instructions the Customer provides, accepted by Userplay.

Userplay will inform the Customer if, in its reasonable opinion, an instruction violates applicable Data Protection Law.

4. Categories of Data and Data Subjects#

The categories of Personal Data and Data Subjects processed by Userplay on the Customer’s behalf include, as applicable to the Customer’s configuration:

  1. Account and identification data of studio members.
  2. Session recordings (screen, audio, optional webcam) of testers participating in playtests created by the Customer.
  3. Transcripts and AI analysis derived from session recordings.
  4. Optional Chrome extension telemetry, when enabled by both the Customer and the tester.

A full breakdown is in Data Processed.

5. Duration#

Userplay processes Personal Data for the duration of the main agreement and as needed to fulfill its obligations under it, subject to the retention provisions in Section 11 and the deletion provisions in Section 12.

6. Confidentiality#

Userplay ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

7. Security#

Userplay implements and maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  1. Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  2. Role-based access control, multi-factor authentication, and the principle of least privilege.
  3. Network segmentation and secrets management.
  4. Logging, monitoring, and tamper-evident internal audit trails.
  5. Documented incident response procedures.
  6. Regular security testing and dependency scanning.
  7. Personnel security training and confidentiality obligations.

8. Subprocessors#

The Customer authorizes Userplay to engage the subprocessors listed in Subprocessors. Userplay will:

  1. Impose data protection obligations on each subprocessor that are substantially equivalent to those in this DPA.
  2. Remain responsible for the acts and omissions of its subprocessors with respect to Personal Data.
  3. Notify the Customer of any intended addition or replacement of subprocessors at least 30 days in advance by updating the public subprocessors page and emailing workspace owners.

The Customer may object in writing to a new subprocessor on reasonable data-protection grounds within the 30-day window. Userplay will work in good faith to resolve the objection, which may include excluding the Customer’s data from that subprocessor where technically feasible, or, where no resolution can be reached, allowing the Customer to terminate the affected portion of the Service per the main agreement.

9. Data Subject Requests#

Userplay will, taking into account the nature of the processing:

  1. Assist the Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Law (access, rectification, erasure, restriction, portability, objection).
  2. Provide tools within the Service (such as exports and deletions) that the Customer can use to fulfill such requests directly.
  3. Forward to the Customer any Data Subject requests received directly by Userplay that relate to the Customer’s data, rather than responding to them itself, unless legally required to respond.

10. Incident Notification#

Userplay will notify the Customer without undue delay and within 72 hours of becoming aware of a Personal Data breach affecting the Customer’s data. The notification will include the information required by Data Protection Law: the nature of the breach, categories and approximate volume of data affected, likely consequences, mitigation taken or planned, and a point of contact. See Incident Response.

11. Retention#

Userplay retains Personal Data only for as long as needed to provide the Service and as configured by the Customer (workspace retention settings, deletion actions), or as required by law. Default retention windows and deletion procedures are described in Data Handling and Data Processed.

12. Return or Deletion on Termination#

Upon termination or expiration of the main agreement, the Customer may export Personal Data through the Service for a period of 30 days. After that period, Userplay will delete Personal Data within the Service within 60 days, and request deletion from any subprocessor that holds it on Userplay’s behalf, subject to:

  1. Backups, which age out within 7 days.
  2. Internal audit logs, which are retained for up to 365 days.
  3. Personal Data that Userplay is legally required to retain.

13. International Transfers#

The Customer acknowledges that Personal Data may be processed in the United States. Where Personal Data of EEA, UK, or Swiss Data Subjects is transferred to Userplay or its subprocessors outside those territories, the parties rely on the relevant Standard Contractual Clauses (or equivalent mechanism in force at the time) as incorporated by reference into this DPA. Userplay will assist the Customer with any required transfer impact assessment.

14. Audits#

Userplay makes available the following to demonstrate compliance with this DPA:

  1. This documentation space and the Security section.
  2. Subprocessor attestations (SOC 2, ISO 27001 equivalents), on request and to the extent Userplay is permitted to share them.

Where Data Protection Law requires more, the Customer may submit a written audit request to privacy@userplay.io. The parties will agree on a reasonable scope, timing, and method, with formal audits performed no more than once per year except where there is reasonable belief of a material breach.

15. Effective Date and Changes#

This DPA is effective as of the date the Customer accepts the main agreement. Userplay may update this DPA from time to time; material changes that reduce protections for Personal Data will not take effect for existing customers without notice and the opportunity to object.

This DPA is governed by the laws of India, consistent with the Terms of Service.

For questions, contact privacy@userplay.io.