Epic Games Online Services Data Processing Addendum

This Epic Games Online Services Data Processing Addendum (“DPA”) supplements the Epic Games Online Services End User License Agreement (“Agreement”) between you and Epic. It applies to Epic’s Processing of Personal Data in connection with its provision of Services to you under the Agreement. Capitalized terms not otherwise defined directly in this DPA have the meanings given to them in Section 16 of the Agreement.

  1. Relationship with the Agreement.
  1. This DPA becomes effective when you accept the Agreement, and remains effective until the termination of the Agreement.[a][b][c][d][e][f]
  2. The DPA represents the full and complete agreement between you and Epic pertaining to the subject matter contained herein. It replaces any prior agreement you may have previously entered into with Epic relating to Epic’s Processing of your Personal Data, but does not otherwise impact your or Epic’s respective rights or obligations under the Agreement or your other agreements with Epic that do not relate to the Services.
  3. If the DPA conflicts with the Agreement: (i) the provisions of the DPA will prevail solely with respect to the relevant conflict; and (ii) the remainder of the Agreement will otherwise remain in full force and effect.
  4. Except as may be otherwise provided pursuant to Epic’s compliance with applicable data transfer mechanisms in Section 9, no one other than a party to this DPA, its successors, and permitted assignees shall have any right to enforce any of its terms.
  5. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
  1. Roles of the Parties.
  1. As between you and Epic, you are the Controller and Epic is the Processor of your Personal Data. Epic will Process your Personal Data only as a Processor acting at your direction and in accordance with your instructions, as set forth in the Agreement and this DPA. 
  2. As the Processor under this DPA, Epic agrees to Process your Personal Data only (i) for the purposes described in the Agreement or in accordance with your documented lawful instructions; or (ii) as required by applicable law, in which case Epic shall to the extent permitted by applicable laws inform you of that legal requirement before the relevant Processing. You acknowledge that the Agreement and this DPA represent your instructions to Epic to Process your Personal Data in order to provide Services and fulfill Epic’s obligations under the Agreement, including to operate and support the Services. 
  3. As the Controller under this DPA, you agree to: (i) comply with Data Protection Laws at all times; (ii) provide sufficient notice and obtain all consents and rights necessary for Epic to lawfully Process your Personal Data and provide the Services in accordance with your instructions; and (iii) immediately notify Epic and cease Processing relevant Personal Data if any required authorization or legal basis is revoked or terminates.  
  1. Details of Processing. Appendix 1 to this DPA describes the Processing of Personal Data contemplated herein, including: (i) the subject matter, duration, nature, and purpose; (ii) the types of Personal Data; and (iii) the categories of data subjects.
  2. Security.
  1. In providing the Services, Epic will use reasonable technical and organizational measures designed to ensure a level of security appropriate to the risk presented by the Processing of Personal Data as required by Article 32 of the GDPR[g].
  2. Notwithstanding Section 4.1 above, you agree that you are responsible for your secure use of the Services, including properly securing your account credentials and adhering to any posted guidelines and policies relating to your use of the Services.
  1. Breach Notification. 
  1. After becoming aware of a Data Breach, Epic will: (i) notify you without undue delay; (ii) use reasonable efforts to promptly identify the cause; (iii) take additional steps Epic deems reasonably necessary to remediate the identified cause; and (iv) provide you with other information reasonably necessary for you to comply with Data Protection Laws.
  2. You acknowledge and agree that the obligations described in Section 5.1 above will not apply to incidents that are caused by you or your authorized representatives (including as a result of failing to securely use the Services as set forth in Section 4.2).
  1. Confidentiality. Epic will require any person that it authorizes to Process your Personal Data (including its staff, agents, and contractors) to be under an appropriate obligation of confidentiality.
  2. Post-Termination Obligations.
  1. Upon termination of the Agreement, Epic will promptly delete (or, at your election, return to you and then delete) all Personal Data remaining in its possession or control. If you do not notify Epic of your choice within thirty (30) days of the termination of the Agreement, you will be deemed to have chosen deletion.
  2. The requirement in Section 7.1 shall not apply to the extent Epic is required to retain Personal Data by applicable law. 
  1. Subprocessing. 
  1. By entering into this DPA, you authorize Epic to engage Subprocessors to assist Epic with Processing your Personal Data on your behalf. A list of Epic’s current Subprocessors can be found at [https://dev.epicgames.com/services/terms/subprocessors/[h][i]].
  2. Epic will only engage Subprocessors that agree in writing to data protection obligations at least as protective as in this DPA. Epic will remain liable for the performance of any such Subprocessor’s data protection obligations to the same extent Epic would be liable if performing the relevant services directly under the DPA.
  3. Epic will provide you with reasonable notice before Epic engages a new Subprocessor for your Personal Data, including the date on which that Subprocessor will begin to Process your Personal Data. You may object to Epic’s engagement of any such new Subprocessor by ceasing to use the applicable Service(s) by that date. Your continued use of any applicable Service(s) on or after that date will constitute your acceptance of the relevant Subprocessor. 
  1. International Transfers. Epic and its Subprocessors may Process your Personal Data anywhere in the world where they operate, including the United States. Epic will only transfer your Personal Data to non-EEA countries subject to appropriate safeguards, namely pursuant to Standard Contractual Clauses (the terms of which are incorporated by reference hereto) to the extent required by applicable Data Protection Laws. The Standard Contractual Clauses also apply to the extent that you are an importer of the Personal Data under Standard Contractual Clauses you have entered with third parties and which require you to enter into Standard Contractual Clauses with Epic as a Processor or Subprocessor.
  2. Data Protection Authority Inquiries. To the extent you require Epic’s assistance to respond to any requests from data protection authorities relating to the Processing of Personal Data,  Epic will, at your expense, provide commercially reasonable cooperation to assist you.
  3. Individual Rights and Requests.
  1. Epic strives to provide you with tools to independently correct, amend, or delete personal Data, or block or restrict Processing of Personal Data.  To the extent you do not have the ability to independently facilitate such actions, then at your written direction and to the extent required by Data Protection Laws, Epic will comply with your commercially reasonable requests to facilitate such actions. To the extent legally permitted, you shall be responsible for any costs arising from Epic’s or its Subprocessors’ provision of such assistance.
  2. To the extent legally permitted, Epic will promptly notify you if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Epic strives to provide you with tools to independently address such data subject requests. To the extent you are unable to independently address a data subject’s request, and to the extent legally permitted, Epic shall provide you with commercially reasonable cooperation and assistance. To the extent legally permitted, you shall be responsible for any costs arising from Epic’s provision of such assistance.
  1. Data Protection Impact Assessments, Prior Consultations, and Audits.
  1. To the extent you require Epic’s assistance in connection with data protection impact assessments and prior consultations under Article 35 and 36 of GDPR, Epic will, at your expense, provide commercially reasonable cooperation to assist you.
  2. Epic will provide written responses (on a confidential basis) to your commercially reasonable requests for information necessary to demonstrate Epic’s compliance with this DPA. Epic will cooperate with audits and inspections performed by you or an independent third-party auditor reasonably acceptable to Epic that are necessary to confirm Epic’s compliance with this DPA; provided however, that any on-site audit or inspection: (i) may not be performed unless necessary to determine Epic’s compliance with this DPA and you reasonably believe that Epic is not complying with this DPA; (ii) must be conducted at your sole expense and subject to reasonable fees and costs charged by Epic; (iii) will be conducted at a date and time and for a duration mutually agreed by the parties; and (iv) must be performed in a manner that does not cause any damage, injury, or disruption to Epic’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Epic will not be required to disclose any proprietary or privileged information to you or any agent or vendor of yours. You shall not exercise your rights under this Section 12.2 more than once per year.
  1. Law Enforcement Requests.
  1. If a law enforcement agency sends Epic a demand for your Personal Data (for example, through a subpoena or court order), Epic may attempt to redirect the law enforcement agency to request that Personal Data directly from you. As part of this effort, Epic may provide your basic contact information to the law enforcement agency.
  2. If compelled to disclose Personal Data to a law enforcement agency, Epic will take reasonable steps to notify you of the relevant demand to allow you to seek a protective order or other appropriate remedy, unless Epic is legally prohibited from doing so.
  1. Your Obligations.
  1. You will ensure that (i) you are entitled to transfer or provide access to any relevant Personal Data to Epic; (ii) Epic may lawfully Process such Personal Data on your behalf in accordance with your instructions, as set forth in the Agreement and this DPA; (iii) you do not provide any Sensitive Personal Data to Epic under any circumstances; and (iv) any relevant third parties have been informed of, and have given their consent to, such Processing as required by any applicable Data Protection Law.
  2. You specifically acknowledge that Epic is reliant on your direction as to the extent to which Epic is entitled to Process your Personal Data for the purposes contemplated by the Agreement and this DPA. Consequently (and without limiting any limitations of liability or your indemnification obligations under the Agreement), you agree that Epic will not be liable for any claim brought against Epic arising from any action or omission by Epic to the extent that such action or omission resulted directly from your instructions or failure to otherwise comply with this DPA.
  3. In no event shall either party limit its liability to any individual with respect to that individual’s data protection rights under this DPA or otherwise. You agree to indemnify, pay the defense costs of, and hold Epic, its licensors, its and their affiliates, and its and their employees, officers, directors, agents, contractors, and other representatives harmless from all such claims, demands, actions, losses, liabilities and expenses (including attorneys’ fees, costs, and expert witness fees), including but not limited to such claims or costs associated with any Data Breach other than a Data Breach caused by Epic. You agree to reimburse Epic on demand for any defense costs incurred by Epic and any payments made or loss suffered by Epic, whether in a court judgment or settlement, based on any matter covered by this Section 14.3. This indemnification obligation is in addition to your indemnification obligations contained within the Agreement. If you are prohibited by law from entering into the indemnification obligation above, then you assume, to the extent permitted by law, all liability for all claims, demand, actions, losses, liabilities, and expenses (including attorney’s fees, costs and expert witness fees) that are the stated subject matter of the indemnification obligation above.
  1. Amendments. Epic may amend this DPA in connection with legal or regulatory requirements, in which case Epic will provide reasonable notice to you.
  2. Definitions. As used in this DPA:
  1. “Controller,” “Processor,” and “Processing” have the meanings set forth in the GDPR.
  2. “Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
  3. “Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPA (including, where applicable, GDPR).
  4. “EEA” means the European Economic Area, United Kingdom, and Switzerland.
  5. “GDPR” means the General Data Protection Regulation 2016/679 and any applicable member state law implementing the same.
  6. “Personal Data” means any information relating to an identified or identifiable natural person that (i) originates from the EEA or that is otherwise subject to EEA Data Protection Laws; and (ii) Epic Processes on your behalf as a Processor in the course of providing the Services.
  7. “Sensitive Personal Data” means any categories of Personal Data the Processing of which is generally prohibited by GDPR Article 9 or any applicable Data Protection Laws.
  8. “Standard Contractual Clauses” means contractual clauses approved by 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593). For the purposes of Appendix 1 to the Standard Contractual Clauses incorporated herein, (i) you are the data exporter; (ii) Epic is the data importer; and (iii) the data subjects, categories of data, and processing operations are as defined in Appendix 1 to this DPA. For the purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) include: (i) Software Development Lifecycle procedures; (ii) access controls; (iii) network scanning programs; (iv) physical security controls; (v) network activity logging; (vi) anti-malware software; (vii) encryption of web connections to the Services, passwords, and Epic laptops and workstations, and (viii) data center hosting by Amazon Web Services (AWS), whose data centers are ISO 27001 certified and provide SOC 2, Type 2 attestation reports. More detailed information about AWS’s security can be found here: https://aws.amazon.com/security/.  
  9. “Subprocessor” means a Processor engaged by Epic to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.

Appendix 1
Details of the Data Processing

Subject Matter. Your use of the Services as identified in the Agreement and its applicable Service Addendum(s).

Duration. The period during which you use any Services which include the Processing of Personal Data by Epic.

Nature and Purpose. Enabling Epic to provide you with Services you select as described in the applicable Service Addendum(s).

Type of Personal Data. Personal Data to which you provide Epic access for the purposes of providing you with Services described in the applicable Service Addendum(s).

Categories of Data Subjects. Natural persons whose Personal Data you instruct Epic to Process for the purposes of providing you with Services described in the applicable Service Addendum(s). The data subjects may include you, your end-users, customers, employees, and suppliers.


[a]I thought this would only become effective if we were asked for it?  As the EULA (the "Agreement") doesn't reference the DPA, I can't see how it is OK to have the DPA take effect upon accepting the EULA.  Am I reading/understanding this wrong?

[b]This has been an open question, but our most recently received guidance had been draft as though it would be made available publicly by default.

I think this language is actually flexible enough to accommodate the preferred approach either way -- if we're requiring developers to ask for the DPA, they'd still be looking for it to be effective as of the start of their use of the services.

Alternatively, we could also require them to return the DPA to a designated email address or individual to accept -- many other companies take this type of an approach, but it would require some additional overhead to track and administer.

[c]Who needs to answer this question?  +mike.atamas@epicgames.com for viz/comment.

[d]I’m on a plane, so limited in what I can do.

If we are taking a developer friendly approach, we should not be requiring developers to ask us for this agreement. Indie developers won’t know they need to look for a DPA.

What does Google and Amazon do for cloud and AWS? I think you auto agree to those terms?

We could do something like, if you are required to have a DPA in place, you accept the DPA at the moment you accept the EULA or start using EOS.

[e]AWS incorporates DPA by default in the underlying terms of service basically "to the extent GDPR applies."

83. General Data Protection Regulation (GDPR)

83.1. These Service Terms incorporate the AWS Data Processing Addendum (“DPA”), available here, when the GDPR applies to your use of the AWS Services to process Customer Data (as defined in the DPA).

83.2. The DPA is effective as of 25 May 2018 and replaces and supersedes any previously agreed data processing addendum between you and AWS relating to the Directive 95/46/EC.

[f]Jay made a good point that Tim was pretty clear about not wanting to cross-reference a lot of different agreements in the EULA, so not sure how feasible this would be.

[g]Is there any additional guidance on what this means we need to do?  +kevin.carpenter@epicgames.com for iz as we are working on developing a security policy.

[h]Internal note: needs to be finalized with list of current Suprocessors.

[i]+tony.rossi@epicgames.com, do we have a page for sub-procesors setup?  if so, please confirm the correct URL.