Persistly
Account auth readyOpen dashboard

Data Processing Addendum

The DPA covers customer data processed through Persistly.

Last updated: 2026-04-21. This Data Processing Agreement applies between Northshore Labs LTD as Processor and the customer as Controller.

1. Scope

This DPA governs processing of personal data in connection with Persistly where the customer is controller and Northshore Labs LTD processes personal data on the customer's behalf.

2. Roles

The customer is the Data Controller. Northshore Labs LTD is the Data Processor for customer personal data processed through the hosted service.

3. Processing details

Processor will process data only on instructions from Controller, ensure confidentiality, and implement appropriate security measures.

The subject matter is hosted save persistence and sync for games. The duration is the term of the customer's use of Persistly plus deletion, backup, and legal retention periods. The purpose is to provide, secure, troubleshoot, and support the Service.

Data subjects may include customer operators and game players. Personal data may include account identifiers, authentication identifiers, project data, save IDs, external user IDs, save metadata, save state if it contains personal data, IP addresses, logs, support messages, and billing metadata.

Controller must not submit special category data, sensitive personal data, payment card data, government IDs, health data, or children's personal data unless explicitly agreed in writing and supported by appropriate legal controls.

4. Subprocessors

Processor may engage subprocessors including Stripe for payments, Clerk for authentication, and DigitalOcean for hosting. See the Subprocessors page for the current list.

5. Security

Processor implements technical and organizational measures designed to protect personal data, including access controls, least-privilege operational access, encrypted transport, hosted database controls, logging, backup controls, and incident review.

6. Data subject rights

Processor will assist Controller in fulfilling access, deletion, and correction requests where required by applicable law.

7. Data breach

Processor will notify Controller without undue delay after becoming aware of a breach.

8. Return or deletion

Upon termination, data will be deleted or returned to Controller where required and technically feasible. Residual copies may remain in backups, logs, and accounting records for limited periods before deletion under normal retention cycles.

9. International transfers

Data may be transferred internationally with appropriate safeguards, including use of subprocessors with contractual commitments and transfer mechanisms where required.

10. Audits and information

Processor will provide reasonable information needed to demonstrate compliance with this DPA. Audits must be reasonable, documented, limited to relevant systems and controls, and avoid creating security, confidentiality, or service availability risks.

11. Liability and governing law

Liability is governed by the Terms of Service. Bulgaria and EU law apply.

12. Contact

Data processing questions can be sent to legal@northshore-labs.com.