Data Processing Agreement
Effective: May 2026
1. Definitions
In this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement or in the GDPR, as applicable.
- "Controller" means the Customer, the entity that determines the purposes and means of the processing of Personal Data.
- "Processor" means Muxbe (Giorgi Kurtsikidze, Individual Entrepreneur / მცირე მეწარმე, registered in Georgia), which processes Personal Data on behalf of the Controller.
- "Customer Data" means any Personal Data that the Controller submits to, or that is collected through, the Muxbe platform in the course of using the Service.
- "Personal Data", "Data Subject", "Processing", "Personal Data Breach", "Supervisory Authority", and "Sub-processor" shall have the meanings given to them in the GDPR.
- "Service" means the Muxbe platform and all related services provided to the Controller under the Agreement.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
2. Scope and Roles
This DPA applies to the Processing of Customer Data by the Processor on behalf of the Controller in connection with the provision of the Service.
The Controller is the party that determines the purposes and means of Processing of Customer Data. The Controller is the iGaming operator, affiliate company, or other business entity that subscribes to and uses the Muxbe platform.
The Processor processes Customer Data solely on behalf of, and in accordance with the documented instructions of, the Controller as described in this DPA and the Agreement.
3. Details of Processing
In accordance with Article 28(3) of the GDPR, the following details of Processing are specified:
3.1 Subject Matter and Duration
The subject matter of the Processing is the provision of the Muxbe platform for affiliate management, retention intelligence, financial reporting, AI-powered analysis, sports intelligence, and team collaboration.
The duration of the Processing shall be for the term of the Agreement between the Controller and the Processor, plus any additional period required for the deletion or return of Customer Data in accordance with Section 10 of this DPA.
3.2 Nature and Purpose of Processing
The Processor performs the following Processing activities on Customer Data in order to provide the Service:
- Storage, organization, and retrieval of Customer Data within the platform
- Analysis and display of affiliate performance, financial, and retention data
- AI-powered processing for business insights and recommendations
- Synchronization with the Controller's third-party platform integrations (such as the Controller's affiliate management platform and marketing platforms) as configured by the Controller
- Delivery of transactional communications (e.g., email notifications)
- Audit logging and security monitoring
3.3 Types of Personal Data
The following categories of Personal Data may be processed depending on the Controller's use of the Service:
- Partner/affiliate contact information: email addresses, Telegram handles, Skype identifiers, phone numbers
- Player identifiers and personal information: email addresses, first names, last names, nicknames, IP addresses
- Player behavioral data: deposits, first-time deposits (FTDs), qualification status, activity data
- Financial and commission data: revenue figures, commission calculations, payment records
- Campaign engagement data: metrics synchronized from the Controller's marketing automation platform
- User account data: email addresses, names, roles, and permissions of authorized users
- Chat and communication messages: messages exchanged through the platform's internal communication features
- Audit trail data: IP addresses, user agents, timestamps, and action logs
3.4 Categories of Data Subjects
Customer Data may relate to the following categories of Data Subjects:
- The Controller's employees and authorized platform users
- The Controller's affiliate partners and their contact persons
- Players and end-users whose data the Controller uploads to, or synchronizes with, the platform
- The Controller's business contacts
4. Controller Obligations
The Controller warrants and represents that:
- It has a lawful basis under applicable data protection law for the Processing of Customer Data as contemplated by this DPA and the Agreement.
- It has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects as required by applicable law before submitting their Personal Data to the Service.
- It shall comply with its obligations under the GDPR and applicable data protection laws with respect to Customer Data.
- Its instructions to the Processor shall at all times comply with applicable data protection law.
5. Processor Obligations
5.1 Processing on Instructions
The Processor shall process Customer Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest.
The Controller's instructions are documented in the Agreement and this DPA. The Controller's use of the platform's features and configuration settings constitutes documented instructions. Any additional or alternative instructions require mutual written agreement.
The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection law.
5.2 Confidentiality
The Processor shall ensure that all persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of the Agreement.
5.3 Security of Processing
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, but are not limited to:
- Role-based access control with granular, configurable permissions
- Tenant-scoped data isolation ensuring strict separation of Customer Data between tenants
- Encryption of data in transit using HTTPS/TLS
- Secure storage of API credentials and secrets in a managed secrets vault
- Authentication token verification on all API endpoints
- Storage of personally identifiable information in separate, permission-gated database collections
- Comprehensive audit logging of user actions and system events
A detailed description of the Processor's security measures is available in the Security Policy. The Processor shall regularly review and update these measures to ensure continued appropriateness.
5.4 Privileged Access
The Controller acknowledges that the Processor's authorized personnel hold superadmin-level access to the platform infrastructure. This access is strictly limited to the following purposes:
- Providing customer support and technical assistance
- Performing system maintenance and operational tasks
- Investigating and resolving security incidents
- Debugging and troubleshooting platform issues
Such access shall be exercised only by authorized personnel of the Processor and only for the purposes stated above. Access is logged where technically feasible. The Processor shall not access Customer Data for any purpose other than those necessary for the provision of the Service, performance of its obligations under the Agreement, or compliance with applicable law.
6. Sub-processing
6.1 General Authorization
The Controller provides a general written authorization for the Processor to engage Sub-processors for the Processing of Customer Data, subject to the conditions set out in this Section 6. The categories of authorized Sub-processors are described at Subprocessors. The current named list of specific Sub-processors — including provider names, processing locations, and links to each provider's data protection terms — is provided to the Controller as part of the DPA package on signature and is available on request at legal@muxbe.com.
6.2 Obligations Regarding Sub-processors
When engaging a Sub-processor, the Processor shall:
- Carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Customer Data required by this DPA and applicable data protection law.
- Impose on the Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
- Remain fully liable to the Controller for the performance of any Sub-processor's obligations.
6.3 Notification of Changes
The Processor shall notify the Controller in writing (including by email to the address associated with the Controller's account) of any intended addition or replacement of Sub-processors at least thirty (30) days prior to such change, thereby giving the Controller the opportunity to object.
If the Controller objects to a new or replacement Sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If the parties are unable to reach a resolution within thirty (30) days of the Processor's receipt of the objection, the Controller may terminate the affected portion of the Service without penalty.
6.4 Categories of Sub-processors
| Category | Purpose | Region |
|---|---|---|
| Cloud infrastructure & database | Hosting, database, authentication, storage, serverless compute, scheduled tasks, secrets management, logging | US |
| AI services | AI-powered analysis and assistant features | US |
| Transactional email delivery | Delivery of platform-generated emails (notifications, alerts, invitations) | US |
| Frontend hosting & content delivery | Hosting and global delivery of the web application | US / Global CDN |
| Customer-configured platform integrations | Synchronization with the Controller's affiliate management platform and marketing automation platforms, where configured by the Controller | Determined by the Controller's chosen provider(s) |
The current named list of specific Sub-processors — including provider names, exact processing locations, and links to each provider's data protection terms — is provided to the Controller as part of the DPA package on signature, is updated with at least thirty (30) days' notice of any material change, and is available on request at legal@muxbe.com. The categories above are maintained at /legal/subprocessors.html.
7. Data Subject Rights
The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
Requests from Data Subjects received directly by the Processor shall be promptly forwarded to the Controller without undue delay, unless the Processor is otherwise required to respond under applicable law.
Assistance with Data Subject requests is currently handled through a manual process. The Controller may submit requests via dpa@muxbe.com.
8. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Where feasible, such notification shall be made within seventy-two (72) hours of the Processor becoming aware of the breach.
The notification shall include, to the extent reasonably available at the time of notification:
- A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
- The name and contact details of the Processor's point of contact from whom more information can be obtained
- A description of the likely consequences of the Personal Data Breach
- A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects
Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities that the Controller is required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
10. Data Deletion and Return
10.1 Upon Termination
Upon termination or expiry of the Agreement, the Processor shall, at the Controller's election:
- Return all Customer Data to the Controller in a commonly used, machine-readable format; or
- Delete all Customer Data and existing copies, unless European Union or Member State law requires further storage.
If the Controller does not provide instructions regarding deletion or return within thirty (30) days of termination, the Processor shall delete all Customer Data.
10.2 Scope of Deletion
Deletion of a tenant encompasses removal of all associated data, including but not limited to: the tenant registry entry, all tenant-scoped data collections, user profile records, and authentication accounts associated with the tenant.
10.3 Data Export
Prior to termination, the Controller may request export of Customer Data. Available export formats include:
- Partner data: CSV, JSON, PDF
- Reports and analytics: CSV, Excel, PDF
- Audit logs: CSV
10.4 Automated Data Retention
The Processor applies the following automated retention policies during the term of the Agreement:
- Player daily statistics: automatically pruned after 365 days
- Stopped campaign records: automatically pruned after 400 days
The Controller acknowledges and agrees to these retention periods. The Processor shall inform the Controller of any material changes to these automated retention policies.
11. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audit requests shall be subject to the following conditions:
- The Controller shall provide at least thirty (30) days' prior written notice of any audit request.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- The Controller shall bear its own costs associated with any audit, unless the audit reveals a material breach by the Processor.
- Audit findings and any Processor information accessed during the audit shall be treated as confidential by the Controller.
- Audits shall be limited to no more than one per twelve (12) month period, unless a Personal Data Breach or regulatory requirement necessitates an additional audit.
12. International Data Transfers
The Controller acknowledges that the provision of the Service involves the transfer and processing of Customer Data outside the European Economic Area ("EEA"), primarily to the United States, where the Processor's cloud infrastructure, AI services, transactional email delivery, and frontend hosting Sub-processors are located. Where the Controller has configured a marketing automation platform with EU endpoints, the corresponding data may instead be processed within the EU.
Other operational service providers used by the Processor (as described in the Subprocessors page) do not process Customer Personal Data and are not relied upon for transfers of Customer Personal Data.
Such transfers are necessary for the provision of the Service and are carried out in reliance on one or more of the following safeguards:
- An adequacy decision by the European Commission pursuant to Article 45 of the GDPR, where available (e.g., the EU-U.S. Data Privacy Framework, Israel adequacy decision)
- Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR
- Other appropriate safeguards as recognized under Article 46 of the GDPR
Where required by the Controller, the Processor shall enter into Standard Contractual Clauses with the Controller and/or ensure that equivalent clauses are in place with relevant Sub-processors. The Controller may request execution of SCCs by contacting dpa@muxbe.com.
13. Liability
The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any claims by Data Subjects or fines imposed by a Supervisory Authority to the extent that such limitation would be prohibited by applicable law.
14. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws governing the Agreement, without regard to conflict of law principles. To the extent not specified in the Agreement, this DPA shall be governed by the laws of Georgia.
Any disputes arising out of or in connection with this DPA that cannot be resolved amicably shall be submitted to the courts of competent jurisdiction as specified in the Agreement.
15. General Provisions
15.1 Relationship to the Agreement
This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between the terms of this DPA and the Agreement with respect to the protection of Personal Data, the terms of this DPA shall prevail.
15.2 Amendments
The Processor may update this DPA from time to time to reflect changes in legal requirements, Processing activities, or security measures. Material changes shall be communicated to the Controller with reasonable advance notice. Continued use of the Service after such notice constitutes acceptance of the updated DPA.
15.3 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that achieves, to the extent possible, the economic, legal, and commercial objectives of the original provision.
15.4 Survival
The obligations of the Processor with respect to confidentiality, data deletion, and cooperation with audits shall survive the termination or expiry of this DPA and the Agreement.
16. Contact
For any inquiries regarding this DPA, data protection matters, or to exercise any rights under this DPA, please contact:
Muxbe — Data Protection
Giorgi Kurtsikidze, Individual Entrepreneur
Email: dpa@muxbe.com