ShipThis Data Processing Agreement
Last Updated: 20th February 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and Hello Invent Ltd, trading as ShipThis ("ShipThis", "Processor"), a company incorporated in England and Wales with company number 09342309 and registered office at Makers Building, 1 Jasper Walk, London, England, N1 7TW.
This DPA applies where ShipThis processes Personal Data on behalf of the Customer in the course of providing the ShipThis service. It supplements the ShipThis Terms and Conditions and Privacy Policy. ShipThis is registered with the UK Information Commissioner's Office ("ICO") with registration number ZB812823.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the applicable Data Protection Laws.
- Data Protection Laws: (a) the UK General Data Protection Regulation (the "UK GDPR"), being the EU General Data Protection Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019; (b) the UK Data Protection Act 2018 ("DPA 2018"); and (c) where applicable to the processing, the EU General Data Protection Regulation (EU) 2016/679 ("EU GDPR"). References to "GDPR" in this DPA mean the UK GDPR and/or EU GDPR as applicable to the processing in question.
- Personal Data: any information relating to an identified or identifiable natural person.
- Processing: any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
- Data Subject: an identified or identifiable natural person whose Personal Data is processed.
- Controller: the Customer, who determines the purposes and means of the processing of Personal Data.
- Processor: ShipThis, who processes Personal Data on behalf of the Controller.
- Sub-processor: a third party engaged by ShipThis to process Personal Data on behalf of the Customer.
- Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Roles
The Customer acts as the Controller. ShipThis acts as the Processor. ShipThis processes Personal Data solely to provide the ShipThis build and deployment service as described in the Terms and Conditions.
ShipThis will only process Personal Data in accordance with the Customer's documented instructions, which are deemed to be given by the Customer's use of the Service and as set out in this DPA.
3. Details of Processing
The details of processing are as follows:
| Detail | Description |
|---|---|
| Subject matter | Provision of the ShipThis game build and deployment service |
| Duration | For the term of the Customer's account, plus a retention period of 30 days after account cancellation or termination |
| Nature and purpose | Building, packaging, and deploying mobile games to app stores on behalf of the Customer |
| Categories of Data Subjects | Customer team members, account holders, and users of the Customer's account (e.g. via CLI or API) |
| Types of Personal Data | Email addresses, IP addresses, browser user agents, API usage and audit logs (which may include IP addresses, user agents, timestamps, and action metadata), support correspondence (names, email addresses, message content, and any attachments or logs shared by the Customer). Google service account credentials (keys and associated email addresses) and Google Play Developer Account IDs (used during setup but not stored) are also processed; these are treated as Personal Data where they are linked to an identifiable individual, and as confidential business data otherwise. |
4. Processor Obligations
ShipThis shall:
4.1 Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. If ShipThis is required by law to process Personal Data for any other purpose, it will inform the Customer of that legal requirement before processing, unless prohibited by law from doing so. ShipThis will inform the Customer if it becomes aware that an instruction infringes applicable Data Protection Laws.
4.2 Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Section 5 of this DPA.
4.4 Not engage another processor without prior written authorisation from the Customer, subject to the Sub-processor provisions in Section 6 of this DPA.
4.5 Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to Data Subject requests exercising their rights under applicable Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection).
4.6 Assist the Customer in ensuring compliance with obligations relating to security of processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to ShipThis.
4.7 At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless applicable law requires storage. Uploaded game code and build outputs are automatically deleted 30 days after creation via a lifecycle policy on the storage.
4.8 Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
5. Security Measures
ShipThis implements the following technical and organisational measures to protect Personal Data:
Encryption
- All data in transit is protected with TLS 1.3, including client-to-backend and backend-to-build-server communications.
- Customer data at rest is encrypted using LUKS (Linux Unified Key Setup) on DigitalOcean Managed Database clusters.
- Google service account keys are stored in a private, encrypted DigitalOcean Space (S3-compatible) in Amsterdam, EU, with access restricted via IAM policies.
- Uploaded game code is stored in a private DigitalOcean Space, accessible only via short-lived signed URLs.
Ephemeral Build Infrastructure
- Build machines are provisioned per job and do not retain any customer files after a build completes.
- Build machines receive only a temporary signed download URL for the specific job they are running.
- Build machines cannot browse stored files or access anything outside their assigned job.
- A cleanup routine deletes all downloaded files, build intermediates, and temporary files after each job.
Access Control
- Production database access is restricted to a limited number of authorised personnel on a need-to-know basis.
- Contractor engineers do not have access to production systems or customer data.
- All user logins require two-factor authentication via email.
- IAM policies restrict service-level access to the minimum required.
Audit Logging
- API usage and access to sensitive resources are logged. Audit log entries may include IP addresses, browser user agents, timestamps, the action performed, and the associated user account.
- Audit logs are stored in the same encrypted database infrastructure as other Customer data and are subject to the same access controls.
- Audit logs are retained for the duration of the Customer's account and deleted within 30 days of account termination, as described in the Data Retention section below.
Data Backup
- Automated daily database backups with 7-day retention and point-in-time rollback capability, provided by the managed database service.
Data Retention
- Game code and build outputs (APK, AAB, IPA): automatically deleted after 30 days via a lifecycle policy on the storage, regardless of account status.
- Account data (email, profile, project configuration): retained for the duration of the Customer's account and deleted within 30 days of account termination.
- Audit logs: retained for the duration of the Customer's account and deleted within 30 days of account termination.
- Billing records: may be retained beyond account termination where required by applicable tax and accounting law (e.g. UK HMRC requirements). Such records are retained in accordance with the minimum period required by law and access is restricted to authorised personnel.
- Support correspondence: retained for the duration of the Customer's account and for up to 12 months after account termination for the purposes of troubleshooting, dispute resolution, and service quality assurance, then deleted.
- Security and fraud prevention logs: may be retained for up to 90 days after account termination where necessary for the detection and prevention of fraud or to comply with legal obligations. These logs are deleted once the retention purpose no longer applies.
- Database backups: automated daily backups are retained for 7 days on a rolling basis. Following account termination and deletion of primary data, residual Personal Data in backups will be overwritten within the 7-day backup rotation cycle and is not actively used or accessed in the interim.
Notwithstanding the above, ShipThis may retain Personal Data beyond the stated retention periods where required to comply with applicable law, respond to regulatory enquiries, or establish, exercise, or defend legal claims. Such data will be retained only for as long as the specific purpose requires and will remain subject to the security measures described in this DPA.
6. Sub-processors
6.1 The Customer provides general authorisation for ShipThis to engage the Sub-processors listed below. ShipThis has entered into written agreements with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA.
| Sub-processor | Purpose | Data Location | Personal Data Processed |
|---|---|---|---|
| DigitalOcean | Database hosting, file storage, credential storage | Amsterdam, EU | Yes — account data, uploaded game code, Google service account keys |
| Amazon Web Services (AWS) | Build infrastructure | US-East | Limited — build servers do not access Customer account data or stored credentials. Customer-uploaded code is processed for the duration of the build and may contain Personal Data depending on Customer content. |
| Resend | Transactional email delivery | US | Yes — email addresses |
| Cloudflare | CDN, DDoS protection, bot management | Global edge network | Limited — IP addresses, request metadata |
| Google Workspace | Email hosting, support correspondence | US | Yes — email addresses, names, support message content and attachments |
6.2 ShipThis will notify the Customer by email at least 30 days before adding or replacing a Sub-processor. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer may notify ShipThis in writing within 14 days of receiving notice. The parties will discuss the objection in good faith. If no resolution can be reached, the Customer may terminate the affected Service by providing written notice.
6.3 ShipThis remains liable to the Customer for the performance of each Sub-processor's obligations under this DPA.
7. International Data Transfers
ShipThis is a UK-based processor using Sub-processors that are headquartered in the United States or operate globally. Where Personal Data is accessed from, processed in, or made available to a recipient outside the UK or EEA (including by remote access), an international transfer may arise.
The following table summarises each Sub-processor's data location and processing scope. Transfer mechanisms are described below the table and apply based on the Sub-processor's certification status at the time of transfer.
| Sub-processor | Data Location | Headquarters | Processing Scope |
|---|---|---|---|
| DigitalOcean | Amsterdam, EU | US | Account data, uploaded game code, Google service account keys |
| Amazon Web Services (AWS) | US-East | US | Build infrastructure only; does not access Customer account database or stored credentials. Customer-uploaded code is processed for the duration of the build and may contain Personal Data depending on Customer content. |
| Resend | US | US | Email addresses for transactional email delivery |
| Cloudflare | Global edge network | US | IP addresses and request metadata |
| Google Workspace | US | US | Support correspondence including email addresses, names, and message content |
Transfer mechanisms:
Where an international transfer of Personal Data arises in connection with a Sub-processor listed above, ShipThis relies on the following mechanisms in order of preference:
- EU-US Data Privacy Framework / UK-US Data Bridge: Where a Sub-processor is certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the DPF (UK-US Data Bridge), ShipThis relies on that certification as the lawful transfer mechanism. If a Sub-processor's DPF certification lapses or is revoked, ShipThis will fall back to the mechanisms described below. ShipThis periodically verifies Sub-processor certification status via the Data Privacy Framework List.
- Standard Contractual Clauses / UK transfer tools: Where a Sub-processor is not DPF-certified, or where DPF certification is no longer available, ShipThis relies on: (a) for transfers subject to the EU GDPR, the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914; and (b) for transfers subject to the UK GDPR, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as issued by the ICO under Section 119A of the DPA 2018.
- Transfer safeguards: When engaging Sub-processors that involve international transfers, ShipThis considers the legal framework of the destination country, the nature and sensitivity of the data transferred, and the supplementary measures in place (such as encryption and access controls). These assessments are reviewed when Sub-processors are added or changed.
ShipThis will provide copies of relevant transfer mechanism documentation to the Customer on request.
8. Data Breach Notification
8.1 ShipThis will notify the Customer without undue delay after becoming aware of a Data Breach affecting the Customer's Personal Data, to enable the Customer to meet its own notification obligations under applicable Data Protection Laws.
8.2 The notification will include, to the extent available:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned.
- The name and contact details of ShipThis's data protection contact.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to be taken to address the Data Breach and mitigate its effects.
8.3 ShipThis will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
9. Audit Rights
9.1 ShipThis will make available to the Customer, on request, information necessary to demonstrate compliance with this DPA. This may include written responses to reasonable security questionnaires, summaries of technical and organisational measures, and, where available, relevant third-party audit reports or certifications (such as SOC 2).
9.2 Where the information provided under Section 9.1 is not sufficient to demonstrate compliance, the Customer may request an audit of ShipThis's processing activities, subject to the following conditions:
- The Customer must provide at least 30 days' written notice.
- Audits are limited to once per calendar year, unless a Data Breach has occurred or a supervisory authority requires an additional audit.
- Audits will be conducted remotely unless otherwise agreed in writing.
- Any third-party auditor appointed by the Customer must be bound by written confidentiality obligations and must not be a competitor of ShipThis. ShipThis reserves the right to object to an auditor on reasonable grounds.
- The scope of the audit is limited to ShipThis's processing activities under this DPA and does not extend to the data or systems of other customers.
9.3 The Customer will bear all costs of any audit it initiates. ShipThis may charge reasonable fees for staff time spent supporting audits that exceed one business day per calendar year. ShipThis will provide an estimate of such fees before the audit commences.
10. Term and Termination
10.1 This DPA takes effect on the date the Customer begins using the ShipThis service and remains in effect for as long as ShipThis processes Personal Data on behalf of the Customer.
10.2 Upon termination of the Service, ShipThis will delete Customer Personal Data in accordance with the retention periods described in Section 5 (Data Retention). Primary account data, audit logs, and project data are deleted within 30 days. Residual Personal Data in database backups is overwritten within the 7-day backup rotation cycle. Billing records and security/fraud prevention logs may be retained beyond termination only as specified in Section 5 and only to the extent required by applicable law or for the stated purpose.
10.3 The Customer may request confirmation of deletion by contacting [email protected].
11. Liability
11.1 Each party's total aggregate liability arising out of or in connection with this DPA (including in relation to Sub-processor obligations under Section 6.3) is subject to the limitations and exclusions of liability set out in the Terms and Conditions.
11.2 Nothing in this DPA excludes or limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded or limited by applicable law.
11.3 Each party is responsible for any regulatory fines or penalties imposed directly on it by a supervisory authority in respect of that party's own obligations under applicable Data Protection Laws.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
13. Data Protection Officer
Hello Invent Ltd has appointed a Data Protection Officer (DPO) as its designated contact for data protection matters. The DPO can be contacted at:
- Email: [email protected]
- Post: Data Protection Officer, ShipThis, Makers Building, 1 Jasper Walk, London, England, N1 7TW
For any questions about this DPA, data subject requests, or to exercise any rights under it, contact the DPO using the details above.