Reference: This is an English translation. In case of discrepancies, the German version takes precedence. You can find the German version here.

Data Processing Agreement (DPA) in accordance with Art. 28 GDPR

between

ServerAtelier UG (haftungsbeschränkt)

Malvenstr. 4, 75433 Maulbronn, Germany

represented by the managing directors: Paul Sengl and Micha Damaschke

Email: support@serveratelier.com

– hereinafter referred to as "Data Processor" or "ServerAtelier" –

and

the Customer,

who receives server services from ServerAtelier as part of a server rental agreement,

– hereinafter referred to as "Controller" or "Customer" –

the following agreement on the processing of personal data on behalf is concluded:

§ 1 Subject Matter and Duration of Processing

(1)

The Data Processor provides server services for the Controller in accordance with the main agreement (e.g., game server hosting).

(2)

To the extent the Customer stores, processes, or transmits personal data on the provided server, this is done exclusively within the scope of this agreement.

(3)

This agreement is valid for the duration of the underlying main agreement. Upon its termination, all stored data and any backups created will be deleted in accordance with § 9.

§ 2 Type and Purpose of Processing

(1)

Processing is carried out for the purpose of providing, maintaining, and securing virtual servers (game servers) for the Customer.

(2)

The Data Processor provides the technical infrastructure (server and network capacities, panel access, backup options) and, if necessary, performs maintenance and support measures.

(3)

The Data Processor does not conduct any review, use, or evaluation of the content of the data stored on the servers.

§ 3 Types of Data and Categories of Data Subjects

(1)

Processing may – depending on the Customer's use – include the following types of personal data:

User and account data (e.g., usernames, IP addresses)
Communication and game information, to the extent processed by the Customer
Server or log data that may allow inferences about individuals

(2)

Data subjects may include in particular:

Customers, users, or players of the Controller
Administrators or employees of the Controller

§ 4 Obligations of the Data Processor

(1)

ServerAtelier processes personal data exclusively based on documented instructions from the Customer, unless required by law.

(2)

All persons at the Data Processor involved in the processing of personal data are bound by confidentiality.

(3)

ServerAtelier implements appropriate technical and organizational measures (TOMs) according to Art. 32 GDPR, in particular:

Physical and logical access control (e.g., via secured data centers, SSH access)
Encryption of data transmission (TLS, HTTPS)
Encrypted storage of backups in Hetzner Object Storage (S3)
Separation of customer environments (container virtualization via Docker/Pterodactyl)
Logging of administrative access
Recovery and deletion concepts

(4)

The Data Processor supports the Customer in fulfilling its obligations pursuant to Art. 32–36 GDPR (e.g., in case of security incidents or data subject requests).

(5)

ServerAtelier will inform the Customer without delay if, in its opinion, an instruction violates data protection law.

§ 5 Sub-processor Relationships

(1)

The Customer agrees to the involvement of the following sub-processors:

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Provision of server infrastructure (hosting, DDoS protection, backup)
Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107 USA
Security and performance services (CDN, DDoS protection, HTTPS)
Transfers to Cloudflare are based on the EU Commission's Standard Contractual Clauses pursuant to Art. 46 GDPR.
HZ Hosting Ltd, 59 Iztochen blvd., Kamenica Park, 4000 Plovdiv, Bulgaria
Primary Processor for the provision of server infrastructure
Databank, Plano, TX, USA
Sub-processor of HZ Hosting Ltd. for the physical hosting of the servers, provided the Customer chooses this location

(2)

Further sub-processors may only be engaged after prior information and consent of the Customer.

(3)

Contracts in accordance with Art. 28(4) GDPR are in place with all sub-processors.

(4)

ServerAtelier generally processes data within the EU/EEA. However, if the Customer expressly chooses a server location in a third country (e.g., USA), processing will take place in that third country.

(5)

In the event of a transfer to a third country (e.g., USA), ServerAtelier ensures that the requirements of Art. 44 et seq. GDPR are met (e.g., by concluding Standard Contractual Clauses or the existence of an adequacy decision such as the EU-US Data Privacy Framework).

§ 6 Rights and Obligations of the Controller

(1)

The Customer remains the Controller for the processing within the meaning of the GDPR.

(2)

The Customer is responsible for the lawfulness of the processing, the protection of personal data, and safeguarding the rights of data subjects.

(3)

The Customer may only use the Data Processor in compliance with applicable data protection law.

§ 7 Security Incidents and Notifications

(1)

ServerAtelier will inform the Customer without delay about any personal data breaches affecting the data processed under this agreement. The notification will include at least the nature of the incident, the categories of data affected, potential consequences, and the measures taken or planned to address the breach.

§ 8 Evidence and Audit Rights

(1)

Upon request, the Data Processor will provide the Customer with the information necessary to demonstrate compliance with Art. 28 GDPR (e.g., certificates or data center audit reports).

(2)

Audits or inspections may be carried out after reasonable prior notice during business hours and without endangering system security.

§ 9 Deletion and Return of Data

(1)

Upon termination of the main agreement, all data stored on the servers and any backups created will be deleted immediately (0 days retention).

(2)

Data will only be returned or transferred upon explicit instruction from the Customer and within the term of the agreement.

(3)

Backups stored in Hetzner Object Storage are deleted automatically as soon as the agreement ends or the server panel removes the server.

§ 10 Liability

(1)

The liability provisions of the main agreement apply. Liability under data protection law is governed by Art. 82 GDPR.

§ 11 Final Provisions

(1)

Amendments or supplements to this agreement require written form.

(2)

Should any provision of this agreement be invalid, the validity of the remaining provisions shall remain unaffected.

(3)

German law shall apply. The place of jurisdiction shall be – insofar as legally permissible – the registered office of ServerAtelier.

Maulbronn, Date of Agreement

For ServerAtelier UG (haftungsbeschränkt)
Paul Sengl / Micha Damaschke
(Managing Directors)

For the Customer

(Name / Signature)

Nom	Fournisseur	Expiration	Objectif
serveratelier_session	ServerAtelier	Session	Identifie une instance de session pour un utilisateur
pterodactyl_session	ServerAtelier	Session	Identifie une instance de session pour un utilisateur
cookie_consent	ServerAtelier	1 an	Stocke la sélection des cookies
XSRF-TOKEN	ServerAtelier	Session	Empêcher les attaques par falsification de requête intersites (CSRF)
cf_clearance	Cloudflare	Session	Ce service est utilisé par Cloudflare pour détecter les bots et protéger la page d'inscription contre les attaques automatisées.
__stripe_mid	Stripe	1 an	Utilisé par Stripe pour la détection de fraude et à des fins de sécurité.
__stripe_sid	Stripe	Session	Utilisé par Stripe pour les vérifications de sécurité et aide Stripe à évaluer le risque de transaction lié à la tentative de paiement immédiate.

Nom	Fournisseur	Expiration	Objectif
locale	ServerAtelier	1 an	Stocke la langue sélectionnée
currency	ServerAtelier	1 an	Stocke la devise sélectionnée
remember_web_*	ServerAtelier	1 an	Après la connexion, maintient l'utilisateur connecté sur plusieurs sessions
visitor_id	ServerAtelier	1 an	Collecte des données anonymes sur la façon dont les visiteurs utilisent notre site