Data Processing Agreement

• "Controller" means the Discord server administrator who determines the purposes and means of the processing of personal data by installing and configuring the Bot in their Discord server.
• "Processor" means Ticket King, which processes personal data on behalf of the Controller in accordance with the Controller's instructions and this DPA.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed, including Discord users who participate in ticket channels and server staff who interact with the Service.
• "Personal Data" means any information relating to a Data Subject as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on personal data, including collection, storage, organization, structuring, retrieval, use, disclosure, combination, restriction, erasure, and destruction.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.

Ticket King processes personal data to provide the following services on behalf of the Controller:

• Ticket Transcript Generation and Storage: Message content, metadata, user identifiers, and timestamps from designated ticket channels are collected and stored persistently on Ticket King's servers. This data is compiled into ticket transcripts.
• Image and Attachment Storage: Images and file attachments uploaded by users within ticket channels are stored persistently on Ticket King's infrastructure and displayed within ticket transcripts.
• Ticket Data Display: Ticket message data is made accessible via an authenticated web interface at ticketking.xyz to authorized users (ticket creators and designated server staff). This includes real-time display of messages from open tickets to authorized server staff through the web dashboard, as well as display of completed transcripts from closed tickets.
• Server Configuration: Server configuration data (channel settings, role permissions, custom messages, webhook URLs) is stored persistently to operate the Bot according to the Controller's preferences.

The duration of processing continues for as long as the Bot remains installed in the Controller's server and for a reasonable period thereafter to fulfill any outstanding obligations, unless earlier termination is requested.

The parties acknowledge and agree to the following roles:

• Controller: The Discord server administrator is the Controller. The Controller determines the purposes and means of processing by deciding to install the Bot, configuring ticket channels, setting access permissions, and directing which data is collected through the Bot's configuration options.
• Processor: Ticket King is the Processor. Ticket King processes personal data on behalf of the Controller in accordance with the Controller's instructions (as expressed through the Bot's configuration and this DPA) and applicable law.
• Independent Controller Activities: Ticket King also acts as an independent data controller for certain processing activities that are not performed on behalf of the server administrator, including: operating and maintaining the ticketking.xyz website, managing user accounts and authentication, security logging and monitoring, and service improvement analytics. These activities are governed by our Privacy Policy.

The personal data processed under this DPA relates to the following categories of Data Subjects:

• Ticket Participants: Discord users who create tickets or send messages within ticket channels managed by the Bot.
• Server Staff: Discord users who are designated as support staff or administrators and interact with ticket channels or the dashboard.
• Server Administrators: Discord users who install and configure the Bot, and who access the dashboard to manage server settings and transcripts.

The following categories of personal data are processed:

• Discord user IDs (persistent unique identifiers)
• Discord usernames and display names
• Discord avatar images
• Message content (text) from ticket channels
• Message timestamps
• Message IDs
• Images and file attachments uploaded within ticket channels (including PNG, JPG, GIF, WEBP, and other file formats)
• Compiled transcript files (HTML format)
• Discord server IDs, channel IDs, and role IDs
• Custom ticket configurations and message templates
• Webhook URLs (if provided by the Controller)
• Discord authorization token hashes (stored temporarily in memory for session verification, not persisted to permanent storage)
• IP addresses of users accessing transcripts on the Website
• Browser and device information of users accessing transcripts on the Website

In accordance with Article 28 of the GDPR, Ticket King as Processor undertakes to:

• Process on Instructions: Process personal data only on documented instructions from the Controller (including as set forth in this DPA and through the Bot's configuration interface), unless required to process by applicable law, in which case Ticket King shall inform the Controller of that legal requirement before processing (unless prohibited from doing so).
• Confidentiality: Access to personal data is restricted exclusively to the sole operator of the Service. The sole operator is bound by appropriate confidentiality obligations with respect to all personal data processed under this DPA, in accordance with Article 28(3)(b) of the GDPR. No other individuals, including community support staff, have access to personal data or production systems.
• Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Details of these measures are described in our Security Policy.
• Sub-processor Requirements: Not engage another processor (sub-processor) without prior general written authorization of the Controller, as described in Section 9 below.
• Data Subject Rights: Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.
• Security and Breach Obligations: Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Ticket King.
• Deletion or Return: At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data. See Section 15 for details.
• Audit and Compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. See Section 16 for details.
• Unlawful Instructions: If Ticket King reasonably believes that a Controller's processing instruction infringes the GDPR, UK GDPR, or any other applicable data protection law, Ticket King shall promptly inform the Controller and may suspend the relevant processing until the instruction is clarified or amended. Ticket King shall not be liable for any delay or disruption resulting from such suspension. If the Controller insists on an instruction that Ticket King reasonably considers unlawful, Ticket King may terminate this DPA and the affected processing with immediate effect.

To the fullest extent permitted by applicable law, Ticket King's aggregate liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, shall not exceed the greater of: (a) the total fees paid by the Controller to Ticket King in the twelve (12) months preceding the event giving rise to the claim, or (b) one hundred United States dollars (US $100).

In no event shall Ticket King be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, loss of data, business interruption, or loss of goodwill, regardless of whether such damages were foreseeable or whether Ticket King was advised of the possibility of such damages.

The limitations in this section shall not apply to: (a) liability arising from fraud or fraudulent misrepresentation; (b) liability for death or personal injury caused by negligence; or (c) any liability that cannot be excluded or limited under the GDPR, UK GDPR, or other mandatory applicable data protection law, including any mandatory liability of the Processor under Article 82 of the GDPR.

The Controller acknowledges that Ticket King's pricing reflects the allocation of risk set forth in this DPA and that the limitations of liability are a fundamental element of the agreement between the parties. Without these limitations, Ticket King would not be able to provide the Service on an economically feasible basis.

The remedies set forth in this section constitute the Controller's sole and exclusive remedies with respect to any claims arising out of or relating to this DPA, except where mandatory applicable law provides otherwise.

The Controller acknowledges and agrees to the following obligations:

• Lawful Basis: The Controller is responsible for ensuring that it has a valid legal basis under applicable data protection law for instructing Ticket King to process personal data, including informing Data Subjects about the processing as required by Articles 13 and 14 of the GDPR.
• Instructions: The Controller shall ensure that its processing instructions to Ticket King comply with applicable data protection law. The Controller acknowledges that the Bot's configuration options constitute its documented instructions to the Processor.
• Data Subject Notification: The Controller is responsible for informing its server members that the Bot is active and that messages and attachments in ticket channels will be stored, may be viewable in real time by authorized server staff through the web dashboard while tickets are open, and will be compiled into transcripts accessible on the Website after ticket closure.
• Data Subject Requests: The Controller is responsible for responding to Data Subject rights requests in accordance with GDPR Chapter III, with Ticket King's assistance as described in this DPA.
• DPIA: The Controller is responsible for conducting a Data Protection Impact Assessment where required by Article 35 of the GDPR, taking into account the nature of the processing performed by Ticket King.
• Compliance: The Controller shall comply with all applicable data protection laws in connection with its use of the Service, including providing any required notices and obtaining any required consents from Data Subjects.
• Indemnification: The Controller shall indemnify, defend, and hold harmless Ticket King from and against any and all claims, demands, actions, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with: (a) the Controller's breach of this DPA or any applicable data protection law; (b) the Controller's processing instructions to the extent they cause Ticket King to infringe applicable data protection law; (c) any claim by a Data Subject arising from the Controller's failure to comply with its obligations under applicable data protection law, including failure to provide required notices or obtain required consents; (d) any regulatory investigation, inquiry, fine, or enforcement action directed at Ticket King arising from the Controller's use of the Service or the Controller's failure to comply with its data protection obligations; or (e) any third-party claim arising from the content processed through the Controller's use of the Service.

Ticket King uses third-party service providers (sub-processors) to assist in providing the Service. The Controller provides general written authorization for Ticket King to engage sub-processors, subject to the conditions set out in this section.

Ticket King currently engages the following categories of sub-processors:

• Cloud hosting provider — Provides server infrastructure for hosting the Bot, Website, and database — located in the United States.
• CDN and security provider — Provides content delivery, DDoS protection, DNS, and web application firewall services — global presence.
• Object storage provider — Provides storage for transcript data and uploaded images/attachments.

This list is current as of the effective date of this DPA. An updated list of sub-processors may be requested at any time by contacting us at [email protected].

Changes to Sub-processors:

Ticket King will notify Controllers of any intended changes to the addition or replacement of sub-processors via an announcement in our Discord support server or by email at least 14 days before the change takes effect.

Objection Process:

• Controllers may object to a new or replacement sub-processor by providing written notice to Ticket King within fourteen (14) days of receiving notification of the change. The objection must state reasonable data-protection grounds for the objection.
• Upon receipt of a valid objection, Ticket King will make commercially reasonable efforts to address the Controller's concerns, which may include proposing an alternative sub-processor or modifying the Service to avoid processing by the objected-to sub-processor.
• If the parties are unable to reach a resolution within thirty (30) days of the Controller's objection, either party may terminate the processing activities affected by the proposed sub-processor change upon written notice to the other party.
• Ticket King shall not be liable for any disruption to the Service resulting from the Controller's objection to a sub-processor or from termination under this provision.

Each sub-processor is bound by a data processing agreement imposing data protection obligations equivalent to those set out in this DPA.

Ticket King implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit using TLS/HTTPS for all web traffic and API communications
• Encryption of data at rest for databases and stored files, including disk-level encryption for database volumes and provider-managed encryption for object storage, with additional application-level AES-256 encryption for sensitive data such as authentication tokens
• Access restricted exclusively to the sole operator of the Service; no other individuals have access to personal data or production systems
• Database security measures including authentication, network isolation, and firewall rules
• Access controls for stored images and attachments, preventing unauthorized or public access
• Regular security updates and patching of server infrastructure
• Secure development practices with attention to identifying and addressing potential vulnerabilities
• Authorization tokens are never stored; only cryptographic hashes are held temporarily in memory for session verification

For further details on our security practices, please refer to our Security Policy.

In the event of a personal data breach (as defined in Article 4(12) of the GDPR), Ticket King will:

• Notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach, providing the following information:
  • The nature of the personal data breach, including the categories and approximate number of Data Subjects affected
  • The categories and approximate number of personal data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to be taken to address the breach and mitigate its effects
  • The contact point at which more information can be obtained ([email protected])
• Where the breach involves data obtained through Discord's API (API Data), notify Discord immediately in accordance with Discord's Developer Terms of Service, in addition to notifying the Controller.
• Cooperate with the Controller in fulfilling the Controller's notification obligations to supervisory authorities (under Article 33 of the GDPR) and to Data Subjects (under Article 34 of the GDPR).
• Document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken.

The Controller is responsible for determining whether a breach requires notification to the relevant supervisory authority and/or affected Data Subjects, and for making such notifications in accordance with applicable law.

Ticket King is operated from the United States. Our primary server infrastructure is located in the United States, with content delivery and security services operating globally. Where personal data is transferred from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to the United States, this DPA incorporates the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) for the direct transfer of personal data from the Controller to Ticket King. The required Annexes to the SCCs are deemed completed as follows: Annex I corresponds to the information in Sections 3, 4, and 5 of this DPA; Annex II corresponds to the information in Section 10 and our Security Policy. For onward transfers to sub-processors, we rely on the following additional mechanisms:

• Standard Contractual Clauses (SCCs): Our third-party service providers (sub-processors) maintain Data Processing Agreements that incorporate the European Commission's Standard Contractual Clauses adopted pursuant to Implementing Decision (EU) 2021/914, ensuring equivalent data protection obligations for onward transfers.
• UK International Data Transfer Addendum: For transfers from the United Kingdom, our sub-processors' agreements incorporate the UK International Data Transfer Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office (ICO).
• Swiss Transfers: For transfers from Switzerland, our sub-processors' agreements incorporate the European Commission's SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Controllers may request further information about the applicable transfer mechanisms by contacting us at [email protected].

Ticket King has assessed its processing activities and believes that the standard processing described in this DPA does not require a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR on the part of the Processor. However, we acknowledge that:

• The nature of support ticket data means it may occasionally include sensitive personal information provided voluntarily by Data Subjects.
• The obligation to conduct a DPIA rests with the Controller, who should assess the necessity based on their specific use case, the nature of data processed in their server, and the volume of Data Subjects affected.
• Ticket King will assist the Controller in conducting a DPIA if required, by providing necessary information about our processing activities, security measures, and safeguards.

Ticket King will reassess this determination periodically or when our processing activities change significantly.

Ticket King will assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR Chapter III (Articles 15-22), including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

• Data Subjects may request deletion of their ticket data and associated transcripts at any time by emailing [email protected] with the subject line "Data Deletion Request" and including their Discord user ID. We will process deletion requests within 30 days. We can delete transcripts where the requester is the author. However, where the requester participated in transcripts authored by others, we may not be able to selectively remove their individual messages from those multi-author transcripts without affecting the integrity of the record. We will inform the requester of any such limitations and confirm removal upon completion.
• Server administrators (Controllers) may request deletion or modification of their configuration data by contacting us.
• If Ticket King receives a request directly from a Data Subject, we will promptly inform the Controller (unless prohibited by law) and will not respond to the request without the Controller's authorization, unless required by applicable law.

Server configuration data is retained after the Bot is removed from a Discord server to support continued transcript access and potential re-installation. The Controller may request deletion of configuration data at any time. Upon written request from the Controller:

• Where required by applicable law, the Controller may request a data export of their transcript data by contacting us at [email protected]. We will endeavor to accommodate such requests where technically feasible. There is no formal self-service export mechanism.
• Upon the Controller's request, Ticket King will delete all transcript data and associated personal data related to the Controller's server within 30 days. This includes transcript files, stored messages, metadata, and uploaded images and attachments.
• Ticket King may retain personal data beyond the deletion period where required by applicable law, but will inform the Controller of any such legal retention requirement and will limit processing to that which is required by law.
• Backup copies containing the deleted data will be purged at the next backup rotation cycle (backups are retained on a 30-day rotation).

Discord API Termination: Discord's Developer Terms of Service obligate developers to delete all cached and stored API Data if Discord terminates or revokes their API access. Although Ticket King does not anticipate any disruption to the Service, this disclosure is included for transparency regarding that obligation. In the unlikely event that Discord terminates Ticket King's access to the Discord API, Ticket King will comply with its obligation under Discord's Developer Terms of Service to delete data obtained through the API. Ticket King will notify affected Controllers of any such requirement and will provide reasonable advance notice where possible. The Controller acknowledges that compliance with Discord's requirements may necessitate deletion of personal data processed under this DPA.

Cessation of Service: If Ticket King permanently ceases operations, all API Data obtained through Discord's API will be deleted in accordance with Discord's Developer Terms of Service. Ticket King will provide reasonable advance notice to affected Controllers where possible and make reasonable efforts to facilitate data export before deletion occurs.

Ticket King will make available to the Controller, upon reasonable request, all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.

Ticket King will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

• Audits shall be limited to once per twelve (12) month period, unless an additional audit is required by a supervisory authority or is necessary in connection with a personal data breach.
• Audit requests must be submitted in writing with at least 30 days' notice.
• Audits shall be conducted during normal business hours and in a manner that does not disrupt Ticket King's operations.
• The Controller shall bear the costs of any audit conducted by a third-party auditor.
• The Controller or auditor shall be bound by confidentiality obligations with respect to any information obtained during the audit.
• Ticket King may satisfy audit requests by providing relevant certifications, audit reports, or documentation where available.

Ticket King processes personal data in accordance with the principle of data minimization, collecting and retaining only the data categories described in this DPA as necessary to provide ticket management and transcript functionality. We regularly review our processing activities to ensure alignment with this principle.

This DPA shall remain in effect for the duration of Ticket King's processing of personal data on behalf of the Controller. This DPA will automatically terminate when:

• The Bot is removed from the Controller's Discord server and all associated data has been deleted in accordance with Section 15.
• The Controller's account with Ticket King is terminated.
• The underlying Terms of Service between the parties are terminated.
• In the unlikely event that Discord terminates or revokes Ticket King's access to the Discord API, requiring deletion of API Data in accordance with Discord's Developer Terms of Service.
• Ticket King permanently ceases operations.

The obligations of the Processor with respect to confidentiality, data security, and cooperation with the Controller shall survive termination of this DPA to the extent necessary to protect personal data that remains in the Processor's possession pending deletion.

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to conflict of law provisions, except to the extent that the GDPR, UK GDPR, or other mandatory data protection laws apply and cannot be derogated from by contract. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

For any questions regarding this DPA, data processing activities, or to exercise any rights described herein, please contact us at [email protected].