Data Processing Agreement

1. Introduction and Definitions

1.1 Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller," "Customer," "you," or "your") and GuardioBot ("Processor," "we," "us," or "our") and governs the processing of Personal Data in connection with the GuardioBot service (the "Service").

GuardioBot is operated as an individual project. "GuardioBot Technologies" is a trade name used to describe the Service and does not constitute a legal business entity.

This DPA is designed to comply with:

• The General Data Protection Regulation (EU) 2016/679 ("GDPR")
• The California Consumer Privacy Act ("CCPA")
• Other applicable data protection laws and regulations

1.2 Key Definitions

For purposes of this DPA, the following terms shall have the meanings set forth below:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data (i.e., you, the customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (i.e., GuardioBot).
• "Sub-Processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Applicability

2.1 Agreement Scope

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Service. This includes, but is not limited to:

• User identifiers (Discord IDs, Roblox usernames)
• Server and experience configuration data
• Message content processed for moderation purposes
• Moderation logs and action history
• Command usage and interaction data
• Technical and diagnostic information

2.2 Relationship Between Parties

The parties acknowledge and agree that:

• The Controller is the data controller responsible for determining the purposes and means of Processing Personal Data
• The Processor acts as a data processor, processing Personal Data only on behalf of and according to the documented instructions of the Controller
• The Controller is responsible for ensuring that its instructions comply with applicable data protection laws
• The Processor will not process Personal Data for any purpose other than as instructed by the Controller or as required by applicable law

3. Data Processing Details

3.1 Nature and Purpose

The nature and purpose of Processing Personal Data includes:

• Moderation Services: Automated and manual content moderation, including detection of policy violations, spam, harassment, and harmful content
• Security: Detection and prevention of abuse, fraud, security threats, and unauthorized access
• Service Operations: Providing, maintaining, and supporting the Service's core functionality
• Analytics: Analyzing usage patterns to improve Service performance and features
• Logging: Recording moderation actions, system events, and errors for troubleshooting and compliance

3.2 Duration of Processing

Processing will continue for the duration of the Service agreement and for such additional period as may be required by law or to fulfill the purposes outlined in this DPA. Upon termination, Personal Data will be deleted or returned in accordance with Section 9.

3.3 Types of Personal Data

The Processor may process the following categories of Personal Data:

• Identification Data: User IDs, usernames, display names, profile information
• Communication Data: Message content, timestamps, channel information, edit history
• Activity Data: Command usage, interaction history, moderation actions, server activity
• Technical Data: IP addresses, device information, browser types, connection data
• Configuration Data: Bot settings, moderation rules, server preferences
• Log Data: System logs, error logs, moderation logs, access logs

3.4 Categories of Data Subjects

Data Subjects whose Personal Data may be processed include:

• Discord server members and administrators
• Roblox experience participants and administrators
• Users who interact with the Service
• Users whose content is moderated by the Service

4. Processor Obligations

4.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes applicable data protection laws
• Not process Personal Data for purposes other than those instructed by the Controller
• Comply with all applicable data protection laws in the performance of its obligations under this DPA

4.2 Confidentiality

The Processor shall:

• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Maintain the confidentiality of all Personal Data processed under this DPA
• Not disclose Personal Data to third parties without the Controller's prior written consent, except as required by law
• Ensure that confidentiality obligations survive termination of employment or engagement

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: Encryption of Personal Data in transit and at rest
• Access Controls: Limitation of access to Personal Data to authorized personnel only
• Authentication: Strong authentication mechanisms for system access
• Monitoring: Regular monitoring and logging of system access and activities
• Incident Response: Procedures for detecting, responding to, and recovering from security incidents
• Backup and Recovery: Regular backups and disaster recovery procedures
• Security Testing: Regular security assessments, vulnerability scanning, and penetration testing
• Updates and Patches: Timely application of security updates and patches

4.4 Sub-Processors

The Processor may engage Sub-Processors to process Personal Data on behalf of the Controller. The Processor shall:

• Maintain a list of current Sub-Processors, which may be requested by the Controller
• Provide the Controller with advance notice of any intended changes concerning the addition or replacement of Sub-Processors
• Give the Controller the opportunity to object to such changes within a reasonable timeframe
• Impose on Sub-Processors the same data protection obligations as set out in this DPA through a written contract
• Remain fully liable to the Controller for the performance of Sub-Processors' obligations

Current Sub-Processors include cloud hosting providers, database services, and infrastructure providers necessary for Service operations.

5. Controller Obligations

The Controller shall:

• Ensure that it has all necessary rights and consents to provide Personal Data to the Processor for Processing in accordance with this DPA
• Ensure that its instructions to the Processor comply with applicable data protection laws
• Implement appropriate technical and organizational measures to protect Personal Data before providing it to the Processor
• Provide clear and lawful instructions for Processing Personal Data
• Inform Data Subjects about the Processing of their Personal Data in accordance with applicable laws
• Handle Data Subject requests and complaints in accordance with applicable laws, with assistance from the Processor as needed
• Notify the Processor immediately if it becomes aware of any Personal Data Breach affecting data processed under this DPA
• Comply with all applicable data protection laws in its capacity as Controller

6. Data Subject Rights

6.1 Assistance with Requests

The Processor shall, taking into account the nature of the Processing, assist the Controller by implementing appropriate technical and organizational measures to fulfill the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws.

If a Data Subject submits a request directly to the Processor, the Processor shall promptly forward the request to the Controller and shall not respond to the request without the Controller's prior written authorization.

6.2 Rights Under GDPR

Data Subjects in the European Economic Area have the following rights under the GDPR:

• Right of Access: The right to obtain confirmation of whether Personal Data is being processed and access to such data
• Right to Rectification: The right to have inaccurate Personal Data corrected
• Right to Erasure: The right to have Personal Data deleted ("right to be forgotten")
• Right to Restriction: The right to restrict Processing of Personal Data
• Right to Data Portability: The right to receive Personal Data in a structured, commonly used, machine-readable format
• Right to Object: The right to object to Processing based on legitimate interests
• Right to Withdraw Consent: The right to withdraw consent at any time (where Processing is based on consent)
• Right to Lodge a Complaint: The right to lodge a complaint with a Supervisory Authority

6.3 Rights Under CCPA

Data Subjects in California have the following rights under the CCPA:

• Right to Know: The right to request disclosure of Personal Data collected, used, or disclosed
• Right to Delete: The right to request deletion of Personal Data
• Right to Opt-Out: The right to opt out of the sale of Personal Data (note: we do not sell Personal Data)
• Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising privacy rights

7. Data Breach Notification

7.1 Notification Requirements

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach. The notification shall include, to the extent possible:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The name and contact details of the Processor's data protection officer or other contact point
• A description of the likely consequences of the Personal Data Breach
• A description of measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects

7.2 Cooperation

The Processor shall:

• Cooperate with the Controller in investigating and remediating the Personal Data Breach
• Provide reasonable assistance to the Controller in notifying Supervisory Authorities and affected Data Subjects as required by law
• Take reasonable steps to mitigate the effects of the Personal Data Breach and prevent further breaches
• Document all Personal Data Breaches and make such documentation available to the Controller upon request

8. International Data Transfers

8.1 Transfer Mechanisms

The Processor processes Personal Data primarily in the United States. If the Controller is located in the European Economic Area, United Kingdom, or Switzerland, transfers of Personal Data to the United States are international data transfers subject to additional safeguards.

The parties acknowledge that such transfers may be subject to:

• EU-U.S. Data Privacy Framework (if applicable)
• Standard Contractual Clauses approved by the European Commission
• Other lawful transfer mechanisms under applicable law

8.2 Standard Contractual Clauses

To the extent required by applicable law, the parties agree to enter into the European Commission's Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries. These clauses are incorporated by reference and form an integral part of this DPA.

The Controller acts as the "data exporter" and the Processor acts as the "data importer" for purposes of the Standard Contractual Clauses.

9. Data Deletion and Return

Upon termination of the Service agreement or at the Controller's written request, the Processor shall, at the Controller's election:

• Delete all Personal Data processed under this DPA (including existing copies), except to the extent that applicable law requires continued storage; or
• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format

The Processor shall complete deletion or return within 90 days of termination or request, unless a longer period is required or permitted by law.

The Processor shall certify in writing to the Controller that it has complied with the requirements of this Section, including confirmation that all Personal Data has been deleted or returned.

Retention for Legal Compliance: The Processor may retain Personal Data to the extent required by applicable law, including:

• Data required for compliance with legal obligations (e.g., tax, accounting, or regulatory requirements)
• Data required for the establishment, exercise, or defense of legal claims
• Data required for compliance with valid legal process (e.g., subpoenas, court orders)

Retained data shall remain subject to the confidentiality and security obligations of this DPA and shall be deleted as soon as the retention obligation expires.

10. Audit Rights

The Controller may, with reasonable advance notice and during normal business hours, audit the Processor's compliance with this DPA. Such audits shall be conducted:

• No more than once per year, unless required by a Supervisory Authority or in response to a Personal Data Breach
• In a manner that does not unreasonably interfere with the Processor's business operations
• Subject to appropriate confidentiality obligations
• At the Controller's expense, unless the audit reveals material non-compliance

The Processor shall:

• Make available to the Controller all information necessary to demonstrate compliance with this DPA
• Cooperate with and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
• Provide reasonable assistance and access to facilities, systems, and personnel

The Controller may engage a qualified independent third-party auditor to conduct audits on its behalf, subject to the Processor's prior written approval (which shall not be unreasonably withheld).

11. Liability and Indemnification

The parties' liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service, except to the extent prohibited by applicable data protection laws.

Each party shall be liable for damages caused by Processing that violates applicable data protection laws, except where the party proves it is not responsible for the event giving rise to the damage.

The Processor shall be liable for damages caused by Processing only where it has not complied with obligations specifically directed to processors under applicable data protection laws or where it has acted outside or contrary to lawful instructions of the Controller.

Indemnification: The Processor shall indemnify and hold harmless the Controller from and against any claims, losses, damages, costs, and expenses (including reasonable attorneys' fees) arising from:

• The Processor's breach of this DPA or applicable data protection laws
• The Processor's negligence or willful misconduct in Processing Personal Data
• Claims by Data Subjects arising from the Processor's Processing of Personal Data in violation of this DPA or applicable law

This indemnification is subject to the Controller providing prompt notice of the claim, cooperating with the Processor's defense, and allowing the Processor sole control of the defense and settlement of the claim.

12. Term and Termination

This DPA shall commence on the date the Controller first uses the Service and shall continue for the duration of the Service agreement, unless earlier terminated in accordance with this Section or the Terms of Service.

Termination for Breach: Either party may terminate this DPA with immediate effect by written notice if:

• The other party materially breaches this DPA and fails to remedy the breach within 30 days of receiving written notice
• A Supervisory Authority orders the suspension or prohibition of Processing under this DPA
• Applicable law prohibits the Processing contemplated by this DPA

Effect of Termination: Upon termination of this DPA:

• The Processor shall cease all Processing of Personal Data on behalf of the Controller
• The Processor shall delete or return all Personal Data in accordance with Section 9
• All obligations regarding confidentiality, security, and data protection shall survive termination

13. General Provisions

Governing Law: This DPA shall be governed by the laws of the State of Texas, except to the extent that applicable data protection laws (including GDPR or CCPA) provide otherwise.

Conflicts: In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the Processing of Personal Data.

Amendments: Any amendments to this DPA must be in writing and signed by both parties, except that the Processor may update this DPA to comply with changes in applicable data protection laws upon providing reasonable notice to the Controller.

Severability: If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be replaced with a valid provision that achieves the parties' original intent.

Entire Agreement: This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the Processing of Personal Data.

Assignment: The Controller may not assign this DPA without the Processor's prior written consent. The Processor may assign this DPA in connection with a merger, acquisition, or sale of all or substantially all of its assets upon providing notice to the Controller.

No Third-Party Beneficiaries: This DPA does not confer any rights upon any person or entity other than the parties and their successors and permitted assigns, except that Data Subjects are intended third-party beneficiaries with respect to their rights under applicable data protection laws.

14. Contact Information

For questions, concerns, or requests regarding this Data Processing Agreement or data protection matters, please contact:

We will respond to inquiries within a reasonable timeframe, typically within 30 days as required by applicable law.