Data Processing Agreement

This Data Processing Agreement (DPA) template is adapted for MCModGen from the structure of the referenced Player Games DPA. It is a starting point and should be reviewed and finalized by legal counsel before production use.

In a typical DPA, the customer acts as the Controller and MCModGen (or its operator) acts as the Processor when processing personal data on the customer's behalf.

• Applies to personal data processed in connection with MCModGen services
• Covers account management, service delivery, support, analytics, security monitoring, and AI-assisted generation workflows
• Should describe the types of personal data and categories of data subjects relevant to your deployment

• Account and authentication data
• Billing/payment-related records (if applicable)
• Usage and technical telemetry
• Prompt inputs, generated outputs, and generation logs
• Support and communication records
• Service configuration and operational data relevant to product usage

MCModGen's DPA should list the sub-processors used to operate the service. Based on the current codebase and planned deployment stack, this may include the providers below. Final legal names, regions, and processing roles should be confirmed before production use.

• OpenRouter (current default AI gateway) and any downstream model providers used through your configured AI pipeline (for example, providers selected via OpenRouter)
• Managed Redis provider (optional, only when Redis queue mode is enabled in deployment)
• Vercel (planned) for hosting, deployment, and delivery infrastructure
• Supabase (planned) for database, authentication, storage, and backend platform services
• Google Analytics (planned) for analytics and usage reporting

Each sub-processor should be bound by appropriate confidentiality, security, and data-processing obligations.

• Process data only on documented instructions
• Maintain confidentiality and appropriate safeguards
• Assist with compliance obligations where required
• Flow down equivalent protections to their own sub-processors when applicable

• Encryption in transit and at rest (where appropriate)
• Access controls and authentication protections
• Security monitoring, patching, and incident response procedures
• Operational policies, training, and periodic security reviews

• Investigate and contain incidents quickly
• Notify affected customers/parties without undue delay, subject to legal and contractual requirements (for example, within 72 hours if your final policy or applicable law requires it)
• Provide updates on scope, impact, and mitigation efforts as information becomes available
• Document remediation steps and post-incident improvements

• Assist customers with data subject requests where applicable (access, correction, copies, etc.)
• Document retention and deletion timelines for active data, logs, and backups (for example, active account data while active and redundant data deletion windows such as 30 days if adopted)
• Define audit cooperation terms and reasonable audit conditions
• Document data location, transfer safeguards, and governing law in the final agreement