Data Processing Agreement

1. Parties

Processor: The Arcane Gate Ltd, trading as StoryForge Pledges, a company registered in England and Wales, contact james@storyforgerpg.com.

Controller: the creator who accepted the StoryForge Pledges Terms of Service.

2. Definitions

Defined terms (Controller, Processor, Personal Data, Processing, Data Subject, Sub-processor, Personal Data Breach, Supervisory Authority) carry the meanings given in the UK GDPR and the EU GDPR. "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the EU GDPR, and the California Consumer Privacy Act / California Privacy Rights Act, as each applies to a given processing activity.

3. Subject matter, duration & purpose

• Subject matter — provision of the StoryForge Pledges platform to the Controller for managing a Kickstarter campaign.
• Duration — for as long as the Controller's account is active, plus the retention windows in the Privacy Policy.
• Nature & purpose of processing — storing, organising, retrieving, transmitting, and deleting backer personal data so that the Controller can fulfil their campaign obligations (surveys, charging, shipping, reporting).

3.1 Types of personal data & categories of data subject

• Data subjects — backers who pledged on the Controller's Kickstarter campaign.
• Personal data — name, Kickstarter username, email address, pledge amount, reward tier, add-on selections, shipping address, optional survey responses, optional backer notes from the Controller.
• No special category data is intentionally processed. The Controller agrees not to upload special-category data (health, race, religion, etc.) into free-text fields.

4. Processor obligations

We will:

• Process personal data only on the Controller's documented instructions, including regarding international transfers. Use of the platform constitutes a standing instruction.
• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational security measures described in our Security Overview.
• Notify the Controller without undue delay (and in any event within 48 hours) of becoming aware of a Personal Data Breach affecting Controller data, with sufficient information for the Controller to meet their own notification obligations.
• Assist the Controller with data-subject requests, data-protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to us.
• On termination, delete or return all Controller personal data within 30 days, except where retention is required by law.

5. Sub-processors

The Controller authorises us to engage the sub-processors listed on our public sub-processor list. We give at least 30 days' notice of any new sub-processor by updating that page; subscribe to its RSS feed to be notified. The Controller may object to a new sub-processor on reasonable data-protection grounds, and may terminate the service if we cannot accommodate the objection.

We remain liable for the acts and omissions of our sub-processors to the same extent as if we had performed the relevant processing ourselves. We impose data protection terms on each sub-processor that are at least as protective as those in this DPA.

6. International transfers

Where personal data is transferred outside the UK or EEA to a country that does not benefit from an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and on the UK Information Commissioner's International Data Transfer Addendum, each of which is incorporated into this DPA by reference. The Controller is "data exporter" and StoryForge Pledges (or the relevant sub-processor) is "data importer".

7. Data-subject rights

Backers may exercise their rights of access, rectification, erasure, restriction, objection, and portability either directly through the Controller, or via the dedicated Backer Rights page. We will route any request we receive to the Controller within 5 working days and will support the Controller's response.

8. Audit

Once per calendar year (or more often if required by a Supervisory Authority), we will provide the Controller with a current SOC2 Type II report or equivalent third-party attestation when available. While we are working towards SOC2, the Controller may request a written self-assessment against ISO 27001 controls, which we will provide within 30 days. On-site audits are not contemplated under this DPA absent a specific regulatory requirement.

9. Liability

Each party's liability under this DPA is subject to the liability cap in the Terms of Service, except that nothing limits liability that cannot lawfully be limited.

10. Precedence & conflicts

Where this DPA conflicts with the Terms of Service or the Privacy Policy on a matter of personal-data processing, this DPA prevails. Where this DPA conflicts with the Standard Contractual Clauses incorporated by reference, the Clauses prevail.

11. Changes

We may update this DPA from time to time to reflect changes in law or in our processing operations. Material changes will be notified by email to the Controller's billing contact. Continued use of the service after the change means the Controller accepts the updated DPA.