Data Processing Agreement - Remote Admin by RoUtilities

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RoUtilities ("Processor") and each workspace operator ("Controller") who uses Remote Admin by RoUtilities. By creating a workspace and using the Service, the Controller agrees to this DPA. This DPA is incorporated into and subject to the Terms of Service.

1. Definitions

In this DPA, the following terms have the meanings set out below:

"Controller" means the workspace operator — the Roblox game developer or studio that has created a workspace on the Service and determines the purposes and means of processing Roblox player data within that workspace.
"Processor" means RoUtilities, the operator of Remote Admin by RoUtilities, which processes personal data on behalf of the Controller solely to provide the Service.
"Data Subject" means any identified or identifiable natural person whose personal data is processed — in the context of this DPA, primarily Roblox players (including minors) whose data is transmitted to the Service by the Controller.
"Personal Data" has the meaning given in the GDPR: any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in the GDPR and includes collection, storage, retrieval, use, disclosure, and deletion of Personal Data.
"GDPR" means the EU General Data Protection Regulation (Regulation 2016/679) and, where applicable, its UK equivalent (UK GDPR).
"PIPEDA"means Canada's Personal Information Protection and Electronic Documents Act.
"Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"Services" means the remote administration platform provided at the Remote Admin by RoUtilities website, as described in the Terms of Service.

2. Subject Matter, Duration, Nature, and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data relating to Roblox players on behalf of the Controller solely to provide the moderation, analytics, and administration features of the Service within the Controller's workspace.

2.2 Duration

This DPA is effective for as long as the Controller maintains an active workspace on the Service. Upon workspace deletion or account termination, the Processor will delete or anonymise Personal Data in accordance with the retention schedule in the Privacy Policy and Section 9 of this DPA.

2.3 Nature of Processing

The Processor carries out the following processing activities on behalf of the Controller:

Receiving and storing player data transmitted from the Controller's Roblox game server via the Service SDK
Displaying player data within the Controller's dashboard for moderation and administration purposes
Executing moderation commands (kick, ban, mute) on behalf of the Controller's staff members
Retaining chat logs, event logs, and moderation records for the periods specified in the Privacy Policy
Automatically pruning and anonymising data in accordance with retention schedules
Processing erasure requests submitted through the Roblox Right-to-Erasure mechanism on behalf of the Controller

2.4 Purpose of Processing

Personal Data is processed exclusively to provide the remote administration and moderation services described in the Terms of Service. The Processor does not use Personal Data for its own independent purposes, including advertising, model training, or cross-workspace profiling.

3. Types of Personal Data and Categories of Data Subjects

3.1 Types of Personal Data

The Personal Data processed under this DPA includes:

Player identifiers: Roblox user IDs and usernames
Display names: Roblox display names as provided by the Roblox platform
Chat messages: In-game chat content transmitted to the Service for moderation purposes
Behavioural events: Player join/leave events, game actions, and statistics
Moderation records: Ban records, kick logs, mute records, and admin action history
Session data: Server IDs, session timestamps, and game server information

The Processor does not receive or process real names, email addresses, IP addresses, payment information, or other personal data about Roblox players. All player data is identified by Roblox-assigned identifiers only.

3.2 Categories of Data Subjects

The Data Subjects are Roblox players who participate in the Controller's Roblox experience(s). This population may include minors under the age of 13, as the Roblox platform is accessible to users of all ages. The Controller, as the COPPA operator and/or data controller, is responsible for ensuring that appropriate parental consents and disclosures are in place for their experience.

4. Obligations of the Processor

The Processor agrees to the following obligations with respect to Personal Data processed under this DPA:

4.1 Instructions

The Processor will process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service. If the Processor is required by applicable law to process Personal Data for another purpose, it will notify the Controller before doing so (unless prohibited by law).

4.2 Confidentiality

The Processor will ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.

4.3 Security

The Processor will implement appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, but are not limited to:

Encryption of data in transit using TLS/SSL
Password hashing using bcrypt
Role-based access controls within the platform
Workspace-level data isolation (player data is not accessible across workspace boundaries)
Regular security monitoring and vulnerability assessment

4.4 Sub-processors

The Processor may engage sub-processors to assist in providing the Service. The current sub-processors are:

Vultr (or equivalent cloud hosting provider): Cloud infrastructure and data storage
Stripe: Payment processing (does not process Roblox player data)

The Processor will ensure that sub-processors are bound by data protection obligations at least equivalent to those in this DPA. The Processor remains liable to the Controller for the acts and omissions of sub-processors as if they were the Processor's own.

The Processor will notify the Controller of any intended change to sub-processors by updating this DPA or publishing a notice on the platform, giving the Controller a reasonable opportunity to object.

4.5 Assistance with Data Subject Rights

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law. In particular:

Erasure: The Service provides a Roblox Right-to-Erasure integration. Erasure requests submitted through the Roblox mechanism are automatically processed and a compliance log is retained as required by GDPR Art. 5(2).
Access: The Controller can view all player data within their workspace via the dashboard.
Restriction / Objection: The Controller may delete individual records or entire workspace data via the dashboard or by contacting [email protected].

4.6 Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach.

4.7 Data Protection Impact Assessments

The Processor will provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and in prior consultation with supervisory authorities, where required by applicable data protection law.

4.8 Audit Rights

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA, and will allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to reasonable notice (not less than 30 days) and confidentiality obligations.

5. Obligations of the Controller

The Controller agrees to:

Ensure that there is a lawful basis under applicable data protection law for transmitting Roblox player data to the Service
Provide Data Subjects with the information required by applicable law (including GDPR Art. 13/14 and COPPA) about the use of the Service as a data processor, either within the Controller's own privacy notice or by reference to this DPA
Ensure that any staff members added to the workspace who process player data are aware of and comply with the data use restrictions in the Terms of Service (§7)
Not instruct the Processor to process Personal Data in a manner that would violate applicable law
Respond promptly to the Processor's reasonable requests for information or co-operation in connection with data subject rights, regulatory requests, or data breach investigations

6. International Data Transfers

The Service is hosted on cloud infrastructure that may be located outside the European Economic Area (EEA) or the United Kingdom. Where Personal Data of EEA or UK residents is transferred to servers located outside those regions, the Processor relies on the cloud hosting provider's own data transfer mechanisms (such as Standard Contractual Clauses or equivalent safeguards under its own DPA with the Processor) to legitimise the transfer.

The Controller may request information about the specific hosting locations and applicable transfer mechanisms by contacting [email protected].

7. Deletion and Return of Data

Upon termination of the Controller's workspace or account, the Processor will, at the Controller's choice and within a reasonable period (not to exceed 30 days):

Delete all Personal Data processed under this DPA, except to the extent that applicable law requires continued retention; or
Provide the Controller with a copy of the Personal Data in a machine-readable format (where technically feasible), after which the Processor will delete its copies.

The following data is subject to mandatory retention notwithstanding workspace deletion, as required by applicable law or legitimate business necessity:

Erasure compliance logs: Retained indefinitely as an accountability record under GDPR Art. 5(2). These logs record only that a deletion request was processed, the date, and the Roblox user ID — no other personal data is retained.
Billing records: Retained for 7 years as required by Canadian tax law.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service (§9). In the event of any conflict between this DPA and the Terms of Service regarding data protection liability, this DPA prevails to the extent of the conflict.

9. Governing Law

This DPA is governed by the laws of Canada. Any disputes arising under this DPA are subject to the dispute resolution provisions in the Terms of Service (§12).

10. Contact

Questions or requests relating to this DPA should be directed to:

Email:[email protected]
Platform:Remote Admin by RoUtilities