Data Processing Addendum
Last updated: March 2026
This Data Processing Addendum (“DPA”) forms part of any agreement (“Agreement”) entered into between Mighty Bear Games Pte. Ltd. (“Company” or “Processor”) and you (“Customer” or “Controller”). This DPA applies only where the Company processes Personal Data on behalf of the Customer in connection with the Services (as defined in the Agreement).
The terms “Personal Data”, “Data Subject”, “processing” (and “process”), “Controller”, and “Processor” have the meanings given to them in the Applicable Data Protection Law.
1. Definitions
“Applicable Data Protection Law” — all data protection and privacy legislation applicable to the processing of Personal Data under this DPA, including: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the Personal Data Protection Act 2012 of Singapore (“PDPA”); and (e) applicable US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) and similar legislation in other states.
“Customer Content” has the meaning given to it in the Terms of Use.
“Output” has the meaning given to it in the Terms of Use.
“Personal Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.
“Restricted Transfer” means a transfer of Personal Data which is undergoing processing, or which is intended to be processed after transfer, to a country or territory to which such transfer is prohibited or subject to a requirement to take additional steps to adequately protect the Personal Data for the transfer to be lawful under the Applicable Data Protection Law.
“Sensitive Data” means any category of personal data classified as "sensitive," "special category," or subject to heightened protection requirements under Applicable Data Protection Law.
“Standard Contractual Clauses” or “SCCs” — the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Decision 2021/914), as amended or replaced.
“Subprocessor” — any third party engaged by the Company to process Personal Data on behalf of the Customer.
“Supplemental Arrangement” has the meaning given to it in the Terms of Use.
“Terms of Use” means the Company’s terms of use found https://trysecretsauce.ai/legals/terms-of-use.
“Training” means using data to modify, update, refine, or tune a machine-learning model (or that model’s weights), including supervised, unsupervised, reinforcement learning, continual learning, or any derivative process intended to change model behaviour.
“UK Addendum” — the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.
Capitalised terms not defined in this DPA have the meanings given in the Agreement.
2. Scope and Roles
2.1 This DPA applies to the extent that the Company processes Personal Data on behalf of the Customer as a Processor (or equivalent role under Applicable Data Protection Law, including “data intermediary” under the PDPA and “service provider” or “contractor” under US state privacy laws).
2.2 The Customer is the Controller. The Company is the Processor. The subject matter, nature, purpose, duration, categories of Data Subjects, and types of Personal Data processed are described in Schedule 1 (Data Processing Details).
2.3 Each Party shall comply with its obligations under Applicable Data Protection Law with respect to the processing of Personal Data under this DPA.
3. Customer Instructions
3.1 The Company shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. By entering into the Agreement, the Customer will be taken to have given such instructions for Personal Data to be processed to the extent covered by the Agreement (including this DPA and the Company’s privacy policy) and any other Supplemental Arrangement.
3.2 The Company shall promptly inform the Customer if, in the Company’s opinion, an instruction infringes Applicable Data Protection Law and reserves the right to refrain from implementing such instruction. Notwithstanding the foregoing, the Company is not required to make a legal assessment of the Customer’s instructions.
4. Confidentiality of Personal Data
The Company shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require it to perform the Service.
5. Security
5.1 The Company shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, having regard to the state of the art, cost of implementation, nature of the processing, and risk to Data Subjects.
5.2 The measures in effect as of the date of this DPA are described in Schedule 2 (Technical and Organisational Measures). The Company may update these measures from time to time, provided the overall level of security is not materially diminished.
6. Subprocessors
6.1 The Customer authorises the Company to engage Subprocessors to process Personal Data. The Company’s current Subprocessors are made available https://trysecretsauce.ai/legals/subprocessors, which will be updated from time to time in accordance with the notification obligations below.
6.2 The Company shall ensure that each Subprocessor: (a) processes Personal Data only on documented instructions from the Company consistent with this DPA; (b) implement and maintain materially equivalent technical and organisational measures as required by this DPA; and (c) accept restrictions on Training or reuse of Customer Content that are materially equivalent or similar to the provisions of Section 10 with respect to AI processing
6.3 The Company shall notify the Customer at least fifteen (15) days in advance of any intended addition or replacement of a Subprocessor. The Customer may object in writing within fifteen (15) days of receiving the notice by contacting privacy@trysecretsauce.ai. If the Customer objects on reasonable data protection grounds and the parties cannot resolve the objection within thirty (30) days, the Company reserves the right to limit or terminate the Services with respect to the Customer if the Services can no longer be provided without the support of the Subprocessor that the Customer has objected to.
7. Data Subject Rights
The Company shall, where legally permitted, promptly notify the Customer if it receives a request from a Data Subject relating to Customer Content. The Company will not respond to such requests except to redirect the Data Subject to the Customer or as otherwise required by law.
The Company will assist the Customer to enable the Customer to respond to Data Subject requests as required by Applicable Data Protection Law, using commercially reasonable efforts to provide necessary information or exported datasets within fifteen (15) days of a documented request from the Customer.
8. Personal Data Breach
8.1 A Party shall notify the other Party without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach.
8.2 The notification shall include, to the extent reasonably available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences; and (c) the measures taken or proposed to address the breach.
8.3 The Company shall cooperate with the Customer and take commercially reasonable steps to mitigate the effects of the breach. The Company’s notification of a Personal Data Breach shall not be construed as an acknowledgement of fault or liability.
9. Assistance with Data Protection Impact Assessments and Regulatory Cooperation
The Company shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, in each case solely to the extent required under Applicable Data Protection Law and taking into account the nature of the processing and the information available to the Company.
10. AI Processing
10.1 Save as otherwise provided in this Section 10, the Company will not use Customer Content (including any Personal Data contained therein) for Training any of the Company’s shared foundation models, models offered as general-purpose models to other customers, or public models, unless the Customer has provided an express prior written agreement that specifies the limited scope and purposes of such Training.
10.2 The Company may use de-identified and/or aggregated data that no longer constitutes Personal Data under Applicable Data Protection Law to improve the Company’s Technology and Services, provided: (a) the data is de-identified and/or aggregated in accordance with documented technical procedures; (b) de-identification is irreversible by the Company; (c) such use does not permit reconstruction of Customer-specific Outputs or re-identification of Data Subjects; and (d) at the reasonable request of the Customer, the Company shall provide the Customer with a description of the de-identification techniques used upon request.
“De-identified” data refers to data that has been processed so that it is anonymised and cannot reasonably be used to re-identify an individual, either directly or indirectly, taking into account available means reasonably likely to be used for identification, consistent with reasonable industry standards.
10.3 Customer Content (including any Personal Data contained therein) may be stored as part of the Customer’s brand codex configuration and in retained Outputs, solely to support the provision of the Service. Such data is logically segregated from other customers and if agreed in a Supplemental Arrangement, processed in a dedicated tenant or region.
10.4 Any use of Customer Content for Training or for purposes outside the scope of the Agreement and this DPA requires the Customer’s prior written authorisation.
11. International Transfers
11.1 To the extent that the Company’s Services involves a Restricted Transfer by the Customer of Personal Data originating in the European Economic Area, the Parties agree that Part A of Schedule 3 shall apply.
11.2 To the extent that the Company’s Services involves a Restricted Transfer by the Customer of Personal Data originating in the UK, the Parties agree that Part B of Schedule 3 shall apply.
11.3 To the extent that the Company’s Services involves a Restricted Transfer by the Customer of Personal Data originating in Switzerland, the Parties agree that Part C of Schedule 3 shall apply.
11.4 Where Personal Data is transferred outside Singapore, the Company shall comply with the transfer requirements under the PDPA, including ensuring that the recipient provides a comparable standard of protection.
12. Return and Deletion
12.1 Upon termination or expiry of the Agreement (or earlier upon the Customer’s written request), the Company shall, at the Customer’s election, return or delete all Customer Content (including any Personal Data therein) within thirty (30) days, unless retention is required by applicable law.
12.2 Where the Company is required by law to retain Customer Content or any Personal Data, it shall: (a) inform the Customer of the legal requirement (to the extent permitted); (b) limit processing to the purpose required by law; and (c) continue to protect the data in accordance with this DPA.
13. Audits
13.1 The Company shall make available to the Customer on request all information reasonably necessary to demonstrate compliance with this DPA.
13.2 The Customer (or an independent third-party auditor appointed by the Customer) may conduct an audit of the Company’s processing activities, subject to the following conditions:
- Frequency: No more than once per twelve (12) months, unless a Personal Data Breach has occurred or a supervisory authority requires an audit.
- Method: The Customer shall first review the Company’s available documentation, certifications, and audit reports (including SOC 2 or equivalent). On-site inspection is available only where the documentation review is insufficient to verify compliance or where required by Applicable Data Protection Law.
- Notice: At least thirty (30) days’ written notice.
- Scope: Limited to the Company’s processing of Personal Data under this DPA.
- Costs: The Customer bears the costs of any audit, unless the audit reveals material non-compliance by the Company, in which case the Company bears reasonable audit costs.
13.3 Nothing in this Section 13 requires the Company to disclose information that is confidential to other customers, proprietary security information, or information protected by legal privilege.
14. US State Privacy Law Provisions
To the extent that the Company processes Personal Data subject to US state privacy laws (including the CPRA and comparable legislation), the following provisions apply in addition to the rest of this DPA:
- The Company is a “service provider” or “contractor” (as applicable) and processes Personal Data solely for the business purposes specified in the Agreement.
- The Company shall not sell or share Personal Data (as those terms are defined under applicable US state privacy laws).
- The Company shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by applicable law.
- The Company shall comply with all applicable obligations under US state privacy laws and provide the same level of privacy protection as required by such laws.
- The Customer has the right to take reasonable and appropriate steps to ensure the Company uses Personal Data consistently with the Customer’s obligations under applicable US state privacy laws. The Company shall notify the Customer if it determines that it can no longer meet its obligations under such laws.
15. Liability
15.1 Each Party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement (or any Supplemental Arrangement). This DPA does not create a separate or additional liability regime.
15.2 For the avoidance of doubt, claims under this DPA count towards the aggregate liability cap in the Agreement. Multiple claims do not enlarge the cap.
16. Order of Precedence
16.1 In the event of any conflict between this DPA and the Agreement (or any Supplemental Arrangement), this DPA shall prevail with respect to the processing and protection of Personal Data.
16.2 Nothing in the Agreement shall be construed as limiting the Company’s obligations under Applicable Data Protection Law.
17. General
Governing Law. This DPA is governed by the laws specified in the Agreement, except for the specific exceptions in Schedule 3 with respect to the matters therein.
Amendments. The amendment provisions of the Agreement apply to this DPA.
Term. This DPA remains in effect for the duration of the Agreement and for as long as the Company processes Personal Data on behalf of the Customer.
SCHEDULE 1 — DATA PROCESSING DETAILS
| Subject Matter | Processing of Personal Data in connection with the Customer’s use of the Secret Sauce AI platform. |
| Duration | For the duration of the Services under the Agreement (and any Supplemental Arrangement) plus any post-termination deletion or handover period. |
| Nature and Purpose | Automated processing of Customer Content (which may contain Personal Data) to build and maintain a brand codex, generate Outputs, and support contextual generation. Storage of Outputs to improve usability and continuity of the Service. |
| Categories of Data Subjects | Customer’s employees, contractors, end users, and any individuals whose Personal Data is included in Customer Content. |
| Types of Personal Data | Names, email addresses, job titles, likeness (photographs), business contact information, and any other Personal Data submitted by the Customer in Customer Content. |
| Sensitive Data | Not permitted. |
| Frequency | Continuous, as determined by the Customer’s use of the Service. |
Subprocessors
The Company’s current Subprocessors are:
| Subprocessor | Purpose | Location | Data Processed |
| [Cloud Provider] | Hosting infrastructure | [Region] | All Customer Content |
| [AI Model Provider] | AI inference | [Region] | Customer Content for Output generation |
| [Payment Provider] | Billing and payments | [Region] | Billing contact details |
An up-to-date list of Subprocessors is maintained at [trysecretsauce.ai/legals/subprocessors].
SCHEDULE 2 — TECHNICAL AND ORGANISATIONAL MEASURES
The Company maintains the following technical and organisational measures to protect Personal Data. These measures are subject to ongoing review and may be updated to reflect changes in technology and industry practice, provided the overall level of protection is not materially diminished.
1. Data Segregation
Customer data is logically segregated from other customers at the application and storage layers. Customer Content and Outputs are isolated using tenant-specific identifiers and access controls.
2. Encryption
Personal Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 (or equivalent) on the Company’s hosting infrastructure.
3. Access Controls
Access to Personal Data is restricted on a least-privilege basis. Role-based access controls are enforced across all systems that process Personal Data. Administrative access requires multi-factor authentication.
4. Authentication
The Service enforces authentication for all user access. Administrative and privileged access requires multi-factor authentication. Password policies enforce minimum complexity and rotation requirements.
5. Logging and Monitoring
The Company maintains audit logs of access to systems that process Personal Data. Logs are reviewed regularly for anomalous activity. Automated alerting is configured for security-relevant events.
6. Infrastructure Security
The Service is hosted on infrastructure provided by a reputable cloud service provider with industry-standard physical and environmental security controls (including SOC 2 Type II or equivalent certification). The Company maintains network segmentation, firewalls, and intrusion detection systems.
7. Incident Response
The Company maintains an incident response plan covering identification, containment, eradication, recovery, and post-incident review. The plan is tested and updated periodically. Personal Data Breaches are escalated in accordance with Section 8 of the DPA.
8. Personnel Security
Personnel with access to Personal Data are subject to confidentiality obligations. The Company conducts security awareness training for relevant personnel.
9. Vulnerability Management
The Company maintains a vulnerability management programme including regular patching of operating systems and applications, periodic vulnerability scanning, and remediation of identified vulnerabilities based on severity.
10. Business Continuity
The Company maintains backup and recovery procedures for systems that process Personal Data. Backups are encrypted and tested periodically.
SCHEDULE 3 — INTERNATIONAL TRANSFER ADDENDUM
Part A — EU Standard Contractual Clauses
Where Section 11.1 of the DPA applies, the SCCs are incorporated by reference in this DPA and the Parties shall be deemed to have agreed to and signed off on the SCCs by executing the Agreement (of which the DPA has been incorporated by reference). The following selections apply:
| Module | Module Two (Controller to Processor) |
| Clause 7 (Docking Clause) | Not included |
| Clause 9(a) (Subprocessors) | Option 2 — General written authorisation. See Clause 6.3 of the DPA. |
| Clause 11 (Redress) | Optional language not included. |
| Clause 13(a) (Supervision) | The model language is retained and adopted. |
| Clause 17 (Governing Law) | Ireland OR The laws of the EU Member State in which the data exporter is established. |
| Clause 18(b) (Forum) | Ireland OR The courts of the EU Member State in which the data exporter is established. |
| Annex I.A (Parties) | Data exporter: the Customer. Data importer: the Company. |
| Annex I.B (Processing) | As described in Schedule 1 of this DPA. |
| Annex I.C (Competent Authority) | As determined under Clause 13(a) above. |
| Annex II (TOMs) | As described in Schedule 2 of this DPA. |
Part B — UK Addendum
Where Section 11.2 of the DPA applies, the UK Addendum is incorporated by reference in this DPA and supplements the SCCs (as incorporated in Part A above) as follows:
| Table 1 (Parties) | As set out in the SCCs (as incorporated in Part A above) above. |
| Table 2 (SCCs) | The SCCs (as incorporated in Part A above) apply with the following modifications: (a) references to the GDPR are read as references to the UK Addendum; (b) references to “EU Member State” are read as references to the United Kingdom; (c) the competent supervisory authority is the UK Information Commissioner’s Office; and (d) the governing law and forum are the laws and courts of England and Wales. |
| Table 3 (Appendix Information) | As set out in Schedule 1 and Schedule 2 of this DPA. |
| Table 4 (Ending the Addendum) | Neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum. |
Part C — Switzerland
Where Section 11.3 of the DPA applies, the SCCs (as incorporated in Part A above) apply with the following modifications: (a) references to the GDPR are read as references to the FADP; (b) references to “Member State” are read as references to Switzerland; (c) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (d) the governing law and forum are the laws and courts of Switzerland.
Part D — Singapore
Where Section 11.3 of the DPA applies, the Company shall comply with the transfer requirements under the PDPA, ensuring that the recipient provides a standard of protection for Personal Data that is at least comparable to the protection under the PDPA. Where required, the Company shall enter into binding contractual arrangements with the recipient to this effect.