Reference: This is an English translation. In case of discrepancies, the German version takes precedence. You can find the German version here.

Data Processing Agreement (DPA) in accordance with Art. 28 GDPR

between

ServerAtelier UG (haftungsbeschränkt)

Malvenstr. 4, 75433 Maulbronn, Germany

represented by the managing directors: Paul Sengl and Micha Damaschke

Email: support@serveratelier.com

– hereinafter referred to as "Data Processor" or "ServerAtelier" –

and

the Customer,

who receives server services from ServerAtelier as part of a server rental agreement,

– hereinafter referred to as "Controller" or "Customer" –

the following agreement on the processing of personal data on behalf is concluded:

§ 1 Subject Matter and Duration of Processing

(1)

The Data Processor provides server services for the Controller in accordance with the main agreement (e.g., game server hosting).

(2)

To the extent the Customer stores, processes, or transmits personal data on the provided server, this is done exclusively within the scope of this agreement.

(3)

This agreement is valid for the duration of the underlying main agreement. Upon its termination, all stored data and any backups created will be deleted in accordance with § 9.

§ 2 Type and Purpose of Processing

(1)

Processing is carried out for the purpose of providing, maintaining, and securing virtual servers (game servers) for the Customer.

(2)

The Data Processor provides the technical infrastructure (server and network capacities, panel access, backup options) and, if necessary, performs maintenance and support measures.

(3)

The Data Processor does not conduct any review, use, or evaluation of the content of the data stored on the servers.

§ 3 Types of Data and Categories of Data Subjects

(1)

Processing may – depending on the Customer's use – include the following types of personal data:

User and account data (e.g., usernames, IP addresses)
Communication and game information, to the extent processed by the Customer
Server or log data that may allow inferences about individuals

(2)

Data subjects may include in particular:

Customers, users, or players of the Controller
Administrators or employees of the Controller

§ 4 Obligations of the Data Processor

(1)

ServerAtelier processes personal data exclusively based on documented instructions from the Customer, unless required by law.

(2)

All persons at the Data Processor involved in the processing of personal data are bound by confidentiality.

(3)

ServerAtelier implements appropriate technical and organizational measures (TOMs) according to Art. 32 GDPR, in particular:

Physical and logical access control (e.g., via secured data centers, SSH access)
Encryption of data transmission (TLS, HTTPS)
Encrypted storage of backups in Hetzner Object Storage (S3)
Separation of customer environments (container virtualization via Docker/Pterodactyl)
Logging of administrative access
Recovery and deletion concepts

(4)

The Data Processor supports the Customer in fulfilling its obligations pursuant to Art. 32–36 GDPR (e.g., in case of security incidents or data subject requests).

(5)

ServerAtelier will inform the Customer without delay if, in its opinion, an instruction violates data protection law.

§ 5 Sub-processor Relationships

(1)

The Customer agrees to the involvement of the following sub-processors:

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Provision of server infrastructure (hosting, DDoS protection, backup)
Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107 USA
Security and performance services (CDN, DDoS protection, HTTPS)
Transfers to Cloudflare are based on the EU Commission's Standard Contractual Clauses pursuant to Art. 46 GDPR.

(2)

Further sub-processors may only be engaged after prior information and consent of the Customer.

(3)

Contracts in accordance with Art. 28(4) GDPR are in place with all sub-processors.

(4)

ServerAtelier does not transfer data to third countries outside the EU/EEA unless explicitly agreed contractually.

(5)

In the event of a transfer to a third country that is neither recognized under Art. 45 GDPR as providing an "adequate level of protection" nor secured by other appropriate safeguards (e.g., EU Standard Contractual Clauses), ServerAtelier confirms that adequate additional technical and organizational measures are in place.

§ 6 Rights and Obligations of the Controller

(1)

The Customer remains the Controller for the processing within the meaning of the GDPR.

(2)

The Customer is responsible for the lawfulness of the processing, the protection of personal data, and safeguarding the rights of data subjects.

(3)

The Customer may only use the Data Processor in compliance with applicable data protection law.

§ 7 Security Incidents and Notifications

(1)

ServerAtelier will inform the Customer without delay about any personal data breaches affecting the data processed under this agreement. The notification will include at least the nature of the incident, the categories of data affected, potential consequences, and the measures taken or planned to address the breach.

§ 8 Evidence and Audit Rights

(1)

Upon request, the Data Processor will provide the Customer with the information necessary to demonstrate compliance with Art. 28 GDPR (e.g., certificates or data center audit reports).

(2)

Audits or inspections may be carried out after reasonable prior notice during business hours and without endangering system security.

§ 9 Deletion and Return of Data

(1)

Upon termination of the main agreement, all data stored on the servers and any backups created will be deleted immediately (0 days retention).

(2)

Data will only be returned or transferred upon explicit instruction from the Customer and within the term of the agreement.

(3)

Backups stored in Hetzner Object Storage are deleted automatically as soon as the agreement ends or the server panel removes the server.

§ 10 Liability

(1)

The liability provisions of the main agreement apply. Liability under data protection law is governed by Art. 82 GDPR.

§ 11 Final Provisions

(1)

Amendments or supplements to this agreement require written form.

(2)

Should any provision of this agreement be invalid, the validity of the remaining provisions shall remain unaffected.

(3)

German law shall apply. The place of jurisdiction shall be – insofar as legally permissible – the registered office of ServerAtelier.

Maulbronn, Date of Agreement

For ServerAtelier UG (haftungsbeschränkt)
Paul Sengl / Micha Damaschke
(Managing Directors)

For the Customer

(Name / Signature)

Name	Provider	Expiration	Purpose
serveratelier_session	ServerAtelier	Session	Identifies a session instance for a user
pterodactyl_session	ServerAtelier	Session	Identifies a session instance for a user
cookie_consent	ServerAtelier	1 Year	Stores cookie selection
XSRF-TOKEN	ServerAtelier	Session	Prevent cross-site request forgery attacks
cf_clearance	Cloudflare	Session	This service is used by Cloudflare to detect bots and protect the register page from automated attacks.
__stripe_mid	Stripe	1 Year	Used by Stripe for fraud detection and security purposes.
__stripe_sid	Stripe	Session	Used by Stripe for security checks and helps Stripe evaluate transaction risk related to the immediate payment attempt.

Name	Provider	Expiration	Purpose
locale	ServerAtelier	1 Year	Stores selected language
currency	ServerAtelier	1 Year	Stores selected currency
remember_web_*	ServerAtelier	1 Year	After login keeps user logged in accross multiple sessions
visitor_id	ServerAtelier	1 Year	Collects anonymous data about how visitors use our site