Appendix A - Module Four

Last updated: May 29, 2026

ANNEX I to Processor-Controller SCCs

FOR PROCESSOR SERVICES - MODULE FOUR TRANSFER PROCESSOR TO CONTROLLER

A. LIST OF PARTIES

Data exporter(s):

Name: Rocket Science Corporation (UK) Ltd

Address: • 4th Floor Elgin House, 106-107 St Mary's Street, Cardiff, United Kingdom, CF10 1DX

Contact person's name, position and contact details: Data Protection Officer; DPO; dpo@rocketscience.gg

Activities relevant to the data transferred under these Clauses: Oversight of common data protection program to assure uses of the transferred data are limited to the uses described herein.

Date: Deemed signed and effective as of the effective date set forth in the applicable Service Order Form or the date on which Customer registered for any of the Services or otherwise accessed, enabled or utilised any of the Services, whichever is earlier.

Role (controller/processor): Processor

Data importer(s):

Name: _________________ i.e., Customer, as identified in the applicable Service Order Form and/or Customer's Account

Address: _________________ i.e., Customer's address, as identified in the applicable Service Order Form and/or Customer's Account

Contact person's name, position and contact details: _________________ i.e., Customer's point of contact, as identified in the applicable Service Order Form and/or Customer's Account

Activities relevant to the data transferred under these Clauses: Oversight of common data protection program to assure uses of the transferred data are limited to the uses described herein.

Date: Deemed signed and effective as of the effective date set forth in the applicable Service Order Form or the date on which Customer registered for any of the Services or otherwise accessed, enabled or utilised any of the Services, whichever is earlier.

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • Data subjects may include Customers and their End Users about whom Personal Data is provided to Provider via the Services by, or at the direction of, Customer.

Categories of personal data transferred

  • Customer account information: contact information, billing information, authentication credentials, and service usage data.

  • End User data (processed on behalf of Customer): IP addresses and usernames/gamertags as may appear in service logs.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Transferred continuously

Nature of the processing

  • To provide infrastructure hosting and orchestration services, technical account management, and operational support in accordance with the Agreement.

Purpose(s) of the data transfer and further processing

  • To provide infrastructure hosting and orchestration services.

  • To facilitate, support and operate Customer's game services and applications.

  • To provide technical account management and 24/7 operational support.

  • Analytics to maintain and improve the service.

  • For Provider's internal purposes, including billing and payment processing, fraud prevention, and improving products and services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Provider retains personal data for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:

  • The length of time Provider has an ongoing relationship with the data subject and/or Customer, including the provision of services;

  • Whether there is a legal obligation to which Provider is subject;

  • Whether retention is advisable in light of our legal position.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Provider uses processors as necessary to perform the Services pursuant to the Agreement on a continuous basis for the duration of the retention period.

C. COMPETENT SUPERVISORY AUTHORITY

Provider's Competent Supervisory Authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom; casework@ico.org.uk; +44 (0)303 123 1113

D. ELECTIONS UNDER EU SCCS

  1. Clause 7 Docking Clause: This optional clause allowing, with the agreement of the Parties, for an entity that is not a Party to these Clauses to accede to these Clauses at any time shall apply.

  2. Clause 9 (a) Use of sub-processors: N/A for Module Four

  3. Clause 11 (a) Redress: This optional clause allowing for the appointment of an independent dispute resolution body to receive complaints by the data subjects shall not apply.

  4. Clause 13 (a) Supervision: N/A for Module Four

  5. Clause 17 Governing Law: These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law provided for in Section 4.7 of the DPA.

  6. Clause 18 (b) Choice of Forum and Jurisdictions: Any dispute arising from these Clauses shall be resolved by the courts provided for in Section 4.7 of the DPA.

E. ELECTIONS UNDER THE UK SCCS

The Information Commissioner's Office International Data Transfer Addendum To The EU Commission Standard Contractual Clauses shall be deemed incorporated by reference to this DPA.

  1. The Parties and Selected SCCs, Modules and Selected Clauses have been identified in this ANNEX I above.

  2. Either Importer or Exporter may end the Addendum as set out in Section 19 of the Addendum i.e.:

  3. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

    1. its direct costs of performing its obligations under the Addendum; and/or

    2. its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

F. ELECTIONS UNDER SWISS SCCS

The SCCs will be deemed completed in accordance with this Annex 1 except that:

  1. References to "Member State" in the 2021 Standard Contractual Clauses refer to Switzerland, and data subjects may exercise and enforce their rights under the 2021 Standard Contractual Clauses in Switzerland.

  2. References to GDPR in the 2021 Standard Contractual Clauses refer to the Swiss Federal Act on Data Protection (as amended and replaced).

G. TECHNICAL AND ORGANISATIONAL MEASURES

As set out in Provider's Security, Privacy and Architecture Documentation, made available to Customers from time to time.