PotUtopia

Data Processing Addendum (DPA)

Effective: 2026-02-22 Processor: sins4skins Hosting: Contabo VPS (France, EU)

1) Parties

Controller: The Discord server owner/operator (or other authorised admin entity) that determines the purposes and means of processing for the server’s community features enabled via the Bots (“Controller”).
Processor: sins4skins, the operator of the Bots (“Processor”).

2) Scope & Role Clarity

For server-specific processing that the Controller configures (e.g., routing messages to channels, connecting a game server, enabling stats), the Processor acts as a Processor on behalf of the Controller.

Separately, the Processor may act as an independent controller for limited operational data needed to secure and maintain the service (e.g., abuse-prevention logs). This DPA covers the Processor role for server-configured processing.

3) Processing Instructions

The Processor will process personal data only on documented instructions from the Controller, as configured via bot settings and commands, unless required to do otherwise by applicable law.

4) Confidentiality

The Processor ensures that persons authorised to process personal data are under an obligation of confidentiality or are subject to an appropriate statutory obligation.

5) Security Measures

The Processor will implement appropriate technical and organisational measures to protect personal data. RCON credentials are treated as sensitive data and stored/handled as encrypted or otherwise protected private configuration data, with access restricted to operational necessity.

6) Sub-processors

The Controller authorises the Processor to use the following sub-processors for infrastructure hosting:

• Contabo (VPS hosting; data stored on EU infrastructure in France).

The Processor will provide notice of material changes to sub-processors via an update to these documents (or equivalent notice on the site).

7) Assistance with Data Subject Requests

Taking into account the nature of processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising data subject rights.

8) Personal Data Breach Notification

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data, and will provide information reasonably required for the Controller to meet its obligations.

9) Deletion or Return of Data

At the Controller’s choice and upon request (or upon termination/removal of the Bots where feasible), the Processor will delete or return Controller personal data, unless storage is required by law or needed for limited security/abuse-prevention purposes.

10) Audits & Information

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, subject to proportionality, security constraints, and protection of other customers and secrets.

Annex A — Details of Processing

• Subject matter: operation of Discord bot features for the Controller’s server.
• Duration: for the period the Bots are enabled/configured and as needed for retention described in the Privacy Policy.
• Nature & purpose: message routing, server integrations, statistics generation, tracking features.
• Categories of data: Discord guild/channel IDs; Alderon IDs/names; webhook-delivered events including in-game chat; server IP/port; RCON credentials.
• Data subjects: Discord users and game players associated with the Controller’s server/community.

Annex B — Security Measures (Summary)

• Access control with least-privilege.
• Encryption/protection of sensitive secrets (including RCON) at rest where feasible.
• Reasonable logging for security, integrity, and abuse prevention.
• Routine updates and patching practices for the hosting environment.

Annex C — Sub-processor List

• Contabo — EU VPS hosting (France).