Data Processing Addendum

For personal data submitted to the LarpLabs platform, the customer is the "controller" and LarpLabs is the "processor" as those terms are defined under applicable data protection law, including GDPR and CCPA.

LarpLabs will process personal data only on documented instructions from the customer, including those in the underlying agreement, configurations within the product, and authenticated API calls.

Personnel authorized to process personal data are bound by confidentiality obligations and trained on data-handling practices.

LarpLabs implements technical and organizational measures described in our Security overview, including encryption in transit and at rest, least-privilege access, and incident response procedures.

Customer authorizes LarpLabs to engage subprocessors to deliver the service. A current list is available on request and we'll notify customers of material changes with a reasonable window to object.

Where personal data is transferred internationally, LarpLabs relies on appropriate transfer mechanisms, including the EU Standard Contractual Clauses, where required.

LarpLabs will reasonably assist the customer in fulfilling its obligations to respond to data subject requests and to conduct any required impact assessments.

On termination, LarpLabs will delete or return personal data in its possession within a reasonable period, unless retention is required by law.

Reach our DPO at [email protected].