Vamble logo

Vamble

Legal Hub

All Policies

Effective: January 8, 2026

Last Updated: January 19, 2026

XXVII. EXHIBITS

1. EXHIBIT A — DETAILS OF PROCESSING

  1. Subject Matter: Processing of Personal Data by Vendor in connection with providing services to Vamble under the Agreement.
  2. Duration: For the term of the Agreement, plus the period from termination until deletion/return under Section XXV. 11 (Return; Deletion: Retention).
  3. Nature of Processing: Collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, alignment/combination, restriction, erasure, and destruction, as applicable to the services.
  4. Purpose of Processing: Providing the contracted services, including (as applicable) hosting, cloud infrastructure, analytics, customer support tooling, identity verification support, communications tooling, payment processing support, security monitoring, fraud prevention tooling, and related operational services.
  5. Categories of Data Subjects: Vamble users/players, prospective users, business contacts, customer support requestors, and Vamble personnel (as applicable).
  6. Categories of Personal Data: Identifiers (name, email, username, device identifiers), contact details, account and profile data, device and usage data, approximate location data, customer support communications, transaction metadata, verification metadata, and other data types as required by the services.
  7. Special Categories (if applicable): Vendor will Process special categories of data only if expressly required for the services and instructed by Vamble, and subject to appropriate safeguards.
  8. Processing Operations: As necessary to provide the services, maintain security, perform troubleshooting, and comply with legal obligations.

2. EXHIBIT B — SECURITY MEASURES (SECURITY EXHIBIT)

Vendor will maintain a written information security program that includes appropriate administrative, technical, and physical safeguards, including:

  1. Access Control: least privilege, role-based access, strong authentication (including MFA for privileged access), periodic access reviews, and timely deprovisioning.
  2. Encryption: encryption in transit using industry-standard TLS; encryption at rest for stored Personal Data where feasible and appropriate for the service.
  3. Logging and Monitoring: security event logging for systems processing Personal Data; monitoring for anomalous access and suspicious activity.
  4. Vulnerability Management: regular vulnerability scanning, timely patching, and a documented remediation process; secure configuration baselines.
  5. Secure Development (if applicable): change management, code review practices, and dependency/security scanning for software used to provide the services.
  6. Incident Response: a documented incident response plan and escalation procedures, with personnel trained on response obligations.
  7. Backups and Recovery: backup procedures and disaster recovery capabilities appropriate to the service, with periodic testing.
  8. Physical Security (if applicable): controls to prevent unauthorized physical access to systems and facilities used to provide the services.
  9. Personnel Security: confidentiality commitments, background checks where appropriate and lawful, and periodic security training.
  10. Data Minimization: limits on collection and retention consistent with service needs and Section XXV. 11 (Return; Deletion; Retention).
  11. Sub-Processor Security: due diligence and contractual controls requiring Sub-Processors to maintain safeguards consistent with this DPA.

3. EXHIBIT C — STANDARD CONTRACTUAL CLAUSES (SCCs) / UK ADDENDUM / SWISS ADDENDUM (INCORPORATED BY REFERENCE)

  1. EU SCCs (Commission Implementing Decision (EU) 2021/914) — Incorporated by Reference
    Where GDPR applies and Personal Data is transferred from the EEA to a country not recognized by the European Commission as providing adequate protection, the Parties incorporate by reference the EU Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914 (as updated, replaced, or superseded) as follows:
    1. Module: The SCCs apply using Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor), as applicable to the transfer.
    2. Parties:
      Data Exporter: Vamble, Inc.
      Data Importer: Vendor (and, where applicable, Vendor’s Sub-Processor)
    3. Docking Clause: Enabled.
    4. Competent Supervisory Authority: The authority determined under GDPR based on Vamble’s main establishment in the EU, or if none, as determined under GDPR.
    5. Annexes/Appendices: The SCC Annex information is satisfied by:
      EXHIBIT A — DETAILS OF PROCESSING, EXHIBIT B — SECURITY MEASURES (SECURITY EXHIBIT), which form the SCC Annexes by reference; and
      The Vendor’s Sub-Processor List (as maintained and disclosed under Section XXV. 7 (Sub-Processors) of the DPA) for SCC Annex requirements relating to Sub-Processors.
    6. UK Addendum (International Data Transfer Addendum to the EU SCCs) — Incorporated by Reference
      Where UK GDPR applies to a restricted transfer from the UK, the Parties incorporate by reference the UK International Data Transfer Addendum to the EU SCCs (as updated, replaced, or superseded). The Parties agree that:
    7. The EU SCCs identified in Section XXVII. 3 (Exhibit C, Section 1) above are the “Approved EU SCCs” for purposes of the UK Addendum.
    8. The required tables of the UK Addendum are completed using the information in EXHIBIT A — DETAILS OF PROCESSING, EXHIBIT B — SECURITY MEASURES (SECURITY EXHIBIT), and the Vendor’s Sub-Processor List as described in Section XXV. 7 (Sub-Processors).
    9. Any conflict between the UK Addendum and the EU SCCs will be resolved in accordance with the UK Addendum’s conflict provisions.
    10. Swiss Addendum — Incorporated by Reference
      Where Swiss data protection law applies to a restricted transfer, the Parties incorporate by reference the EU SCCs identified in Section XXVII. 3 (Exhibit C, Section 1) above with modifications required by Swiss law, including:
    11. References to “GDPR” are interpreted to include the Swiss Federal Act on Data Protection (FADP), as applicable.
    12. References to “supervisory authority” include the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable.
    13. Data Subject rights and jurisdiction clauses are interpreted to provide protections required under Swiss law.
    14. Availability of SCC Text
      The SCC text and UK Addendum text are publicly available from official government/regulator sources and are incorporated here by reference. The Parties intend incorporation by reference to be legally effective and to avoid reproducing lengthy regulatory text within this DPA.

4. EXHIBIT D — OPEN-SOURCE SOFTWARE NOTICES

The Platform may include or depend on open-source software components. Where required by applicable licenses, Vamble will make available applicable notices, attributions, and license texts (for example, within the mobile app settings, within the web application, or on a Vamble-controlled webpage made available through the Platform). Open-source software is licensed to you by the applicable rights holders under the applicable open-source license terms, not by Vamble, and is provided “as is” to the maximum extent permitted by law.

Vamble — Pre-launch