Appendix A - Module One

Last updated: May 29, 2026

ANNEX I to Controller-Controller Services

FOR CONTROLLER SERVICES - MODULE ONE TRANSFER CONTROLLER TO CONTROLLER

A. LIST OF PARTIES

Data exporter in relation to relevant restricted transfers from Customer to Provider Data importer in relation to relevant restricted transfers from Provider to Customer

Name: _________________ i.e., Customer, as identified in the applicable Service Order Form and/or Customer's Account

Address: _________________ i.e., Customer's address, as identified in the applicable Service Order Form and/or Customer's Account

Contact person's name, position and contact details: _________________ i.e., Customer's point of contact, as identified in the applicable Service Order Form and/or Customer's Account

Activities relevant to the data transferred under these Clauses: _________________ i.e., Storing and analysing data to carry out the purposes of the data transfer

Date: Deemed signed and effective as of the effective date set forth in the applicable Service Order Form or the date on which Customer started to use Provider's services, whichever is earlier.

Role (controller/processor): Controller

Data exporter in relation to relevant restricted transfers from Provider to Customer Data importer in relation to relevant restricted transfers from Customer to Provider

Name: Rocket Science Corporation (UK) Ltd

Address: • 4th Floor Elgin House, 106-107 St Mary's Street, Cardiff, United Kingdom, CF10 1DX

Contact person's name, position and contact details: Data Protection Officer; DPO; dpo@rocketscience.gg

Activities relevant to the data transferred under these Clauses: Storing and analysing data to carry out the purposes of the data transfer

Date: Deemed signed and effective as of the effective date set forth in the applicable Service Order Form or the date on which Customer registered for any of the Services or otherwise accessed, enabled or utilised any of the Services, whichever is earlier.

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • Data subjects may include Customers and their End Users about whom Personal Data is provided to Provider via the Services by, or at the direction of, Customer.

Categories of personal data transferred

  • Customer account information: contact information, billing information, authentication credentials, and service usage data.

  • End User data (processed on behalf of Customer): IP addresses and usernames/gamertags as may appear in service logs.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Transferred continuously

Nature of the processing

  • To provide infrastructure hosting and orchestration services, technical account management, and operational support in accordance with the Agreement.

Purpose(s) of the data transfer and further processing

  • To provide infrastructure hosting and orchestration services in accordance with the Agreement.

  • To facilitate, support and operate Customer's game services and applications.

  • Analytics to maintain and improve the service.

  • For Provider's internal purposes, including billing and payment processing, fraud prevention, and improving products and services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Provider retains personal data for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:

  • The length of time Provider has an ongoing relationship with the data subject and/or Customer, including the provision of services;

  • Whether there is a legal obligation to which Provider is subject;

  • Whether retention is advisable in light of our legal position.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Provider uses processors as necessary to perform the Services pursuant to the Agreement on a continuous basis for the duration of the retention period.

C. COMPETENT SUPERVISORY AUTHORITY

Provider's Competent Supervisory Authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom; casework@ico.org.uk; +44 (0)303 123 1113

D. ELECTIONS UNDER EU SCCS

  1. Clause 7 Docking Clause: This optional clause allowing, with the agreement of the Parties, for an entity that is not a Party to these Clauses to accede to these Clauses at any time shall apply.

  2. Clause 9 (a) Use of sub-processors: N/A for Module One

  3. Clause 11 (a) Redress: This optional clause allowing for the appointment of an independent dispute resolution body to receive complaints by the data subjects shall not apply.

  4. Clause 13 (a) Supervision:

  5. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

  6. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

  7. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

  8. Clause 17 Governing Law: Option One allowing for these Clauses to be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law provided for in Section 4.7 above.

  9. Clause 18 (b) Choice of Forum and Jurisdictions: The Parties agree that any dispute arising from these Clauses shall be resolved by the courts provided for in Section 4.7 above.

E. ELECTIONS UNDER THE UK SCCS

The Information Commissioner's Office International Data Transfer Addendum To The EU Commission Standard Contractual Clauses shall be deemed incorporated by reference to this DPA.

  1. The Parties and Selected SCCs, Modules and Selected Clauses have been identified in this ANNEX I above.

  2. Either Importer or Exporter may end the Addendum as set out in Section 19 of the Addendum i.e.:

  3. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

    1. its direct costs of performing its obligations under the Addendum; and/or

    2. its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

F. ELECTIONS UNDER SWISS SCCS

The SCCs will be deemed completed in accordance with this Annex 1 except that:

  1. Under Clause 13 of the EU SCCs, the competent supervisory authority is the Swiss Federal Data Protection and Information Commission to the extent that the transfer is governed by the Swiss Federal Act on Data Protection.

  2. References to "Member State" in the 2021 Standard Contractual Clauses refer to Switzerland, and data subjects may exercise and enforce their rights under the 2021 Standard Contractual Clauses in Switzerland.

  3. References to GDPR in the 2021 Standard Contractual Clauses refer to the Swiss Federal Act on Data Protection (as amended and replaced).