coherence logo
    coherence logocoherence logo
    • Case Studies
    • Pricing
    • Blog
    Sign UpLog In
    coherence logocoherence logo

    About Us

    • Our Story
    • News
    • Careers
    • Contact

    Product

    • Features
    • Install Unity Multiplayer SDK
    • FAQs

    Resources

    • Blog
    • Discord
    • Forums
    • Documentation
    • Global Game Jam

    Why coherence

    • Indie Developers
    • Small Studios
    • Enterprise

    Subscribe to our newsletter

    Want the latest news and updates from coherence delivered to your inbox? Subscribe to our newsletter to stay up to date and for exclusive announcements.

    ©2025 coherence ApS. All rights reserved.
    Privacy Policy.Terms of Service.
    Discord

    DATA PROCESSING ADDENDUM

    coherence ApS (“coherence”) and the counterparty agreeing to these terms (“Customer”) have entered into a main agreement, coherence’s Terms of Service, or another written or electronic agreement for the provision of coherence’s networking engine and multiplayer platform (collectively, the “Services”) (the “Main Agreement”).

    This Data Processing Addendum, including its Annexes (the “DPA”), forms part of the Main Agreement.

    coherence and the Customer may each be referred to as a “Party” and together as the “Parties”.

    This DPA is effective, and replaces any previously applicable data processing terms (including any prior data processing agreement or addendum relating to the Services), from the date on which the Customer clicked to accept the Terms of Service or the Parties otherwise agreed to this DPA.

    If you are accepting this DPA on behalf of the Customer, you warrant that:

    1. You have full legal authority to bind the Customer to this DPA;
    2. You have read and understood this DPA; and
    3. You agree, on behalf of the Customer, to this DPA.

    If you do not have the legal authority to bind the Customer, you must not accept this DPA.

    Purpose of the Data Processing Addendum

    The Parties anticipate that coherence may process Personal Data, including transfers outside the EEA and UK, for which the Customer or its Group members act as Controllers under applicable Data Protection Laws. This DPA ensures adequate safeguards for such processing in accordance with the EU GDPR, UK GDPR, and other applicable data protection laws, and prevails over the Main Agreement to the extent of any conflict concerning Personal Data processing.


    1. DEFINITIONS

      In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      a) "Adequate Country" means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR;
      b) “Customer” means the person or entity identified as “you” in the coherence Terms of Service (or EULA) or as “Developer” in the Main Agreement;
      c) “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) and any applicable laws of EU Member States (the "EU GDPR"), and (ii) the UK General Data Protection Regulation, the Data Protection Act 2018, and any implementing regulations (the "UK GDPR");
      d) "Data Subject Request" means a request from or on behalf of a data subject to exercise rights under Data Protection Laws;
      e) "EU Clauses" means the standard contractual clauses for international transfers of Personal Data to third countries adopted by the European Commission in Decision 2021/914 (Module Two – Controller to Processor), as incorporated in Schedule 2;
      f) "Personal Data" means personal data or personal information of Customer processed by coherence on behalf of Customer under this DPA and as defined in the Data Protection Laws;
      g) "Security Breach" means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of coherence' staff or sub-processors, or any other identified or unidentified third-party;
      h) "Supervisory Authority" means (i) in the UK, the Information Commissioner’s Office (and, where applicable, the Secretary of State or the government), and (ii) in the EU, an independent public authority established pursuant to the EU GDPR;
      i) "UK Approved Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner’s Office, in force from 21 March 2022, and incorporated into this DPA; and
      j) "UK Mandatory Clauses" means the Mandatory Clauses of the UK Approved Addendum, as updated or replaced from time to time.

      The terms "Controller", "Data Subject", "Processor" and "Sub-processor” have the meanings ascribed to them in the Data Protection Laws. Any defined terms which are not defined in this DPA are as defined in the Main Agreement.

    2. ROLES AND COMPLIANCE

      2.1. The Customer is the Controller and coherence the Processor of Personal Data. Each Party shall ensure compliance with applicable Data Protection Laws, and use reasonable efforts to ensure that its personnel and sub-processors do the same.

      2.2. References in this DPA to the Customer include, where relevant, any entity that directly or indirectly controls, is controlled by, or is under common control with the Customer, and to which the Services are made available under the Main Agreement.

      2.3. The Customer remains solely responsible for the accuracy, quality, legality, and lawful acquisition of Personal Data.

    3. DESCRIPTION OF PROCESSING

      3.1. The subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in ANNEX I to Schedule 2.

      3.2. As a Processor, coherence will only process Personal Data (i) in order to provide the Services to Customer as agreed in the Main Agreement or (ii) per Customer's instructions in writing or via email.

      3.3. coherence shall process Personal Data only on the Customer’s documented instructions, unless required to do so by applicable law, in which case coherence shall (unless prohibited by law) inform the Customer. If coherence considers that any Customer instruction infringes applicable Data Protection Laws, it shall inform the Customer without undue delay. Upon termination of the Main Agreement, coherence shall, at the Customer’s written request, return or securely delete all Personal Data (including copies), unless applicable law requires its retention.

    4. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

      4.1. coherence shall maintain appropriate technical, physical, and organizational measures, as set out in Annex II, to protect Personal Data in its possession, custody, or control, and shall not reduce the level of protection.

      4.2. coherence will take reasonable steps to ensure that access to Personal Data is limited to authorised personnel bound by confidentiality obligations.

      4.3. The Customer is responsible for Personal Data security while in its possession, custody, or control, including during transmission over the Internet or other third-party networks. The Customer shall implement physical, administrative, and technical measures to: (i) protect its and its Authorised Personnel’s access credentials; (ii) secure its information technology systems, including computers, software, databases, electronic systems (including database management systems) and networks, whether operated directly or via third parties; (iii) prevent unauthorised access to or use of the Services through such systems or credentials; and (iv) ensure the confidentiality, integrity, and availability of Personal Data in transit to coherence.

      4.4. The Customer is solely responsible for determining whether coherence’s security measures satisfy its requirements and data protection obligations under applicable laws. The Customer acknowledges that coherence’s security measures provide a level of protection appropriate to the risk for Personal Data.

    5. SUB-PROCESSORS

      5.1. The Customer grants coherence general authorisation to engage sub-processors, including permitting each sub-processor to appoint further sub-processors under equivalent terms, in accordance with this Section. The authorised sub-processors are listed in ANNEX III to Schedule 2 (the “Sub-processor List”), which specifies the name, location, and a brief description of each sub-processor’s processing activities. coherence may update the Sub-processor List from time to time.

      5.2. coherence shall give the Customer advance notice of any new or replacement sub-processor. The Customer may object in writing within fifteen (15) days of notice if it has reasonable data protection concerns. The Parties will work in good faith to resolve the objection; if unresolved, either Party may terminate the Main Agreement as its sole remedy.
      5.3. coherence shall enter into a written contract with each sub-processor imposing obligations no less protective of Personal Data than those set out in this DPA. coherence remains liable for any breach by its sub-processors, except where otherwise required by applicable law.

    6. COMPLIANCE VERIFICATION

      6.1. Upon request, and subject to the Main Agreement’s confidentiality provisions, coherence shall provide information reasonably necessary to demonstrate compliance with this DPA. This may include:

      • responses to a reasonable security questionnaire,
      • executive summaries of available third-party certifications or audit reports, and
      • summaries of operational practices related to data protection and security.

      6.2. If the information provided is insufficient, the Customer may request an on-site audit at coherence’s designated facility, limited to procedures relevant to the protection of Customer Personal Data. The Customer shall reimburse coherence at its then-current professional services rates. Before any audit, the Parties shall agree in writing on its scope, timing, and duration.

      6.3. This Section does not grant the right to audit coherence’s sub-processors directly, except to the extent required under applicable Data Protection Laws.

    7. SECURITY BREACHES

      7.1. coherence shall notify the Customer of any confirmed Security Breach affecting Personal Data without undue delay and, in any event, no later than 48 hours after becoming aware of the breach. Such notice shall include, to the extent available at the time:

      • a description of the nature of the Security Breach,
      • the categories and approximate number of data subjects affected,
      • the categories and approximate number of Personal Data records concerned,
      • likely consequences of the Security Breach, and
      • measures taken or proposed to address and mitigate its possible adverse effects.

    8. DATA SUBJECT REQUESTS

      8.1. To the extent legally permitted, coherence shall promptly notify the Customer if it receives a Data Subject Request relating to Personal Data.

      8.2. coherence shall not respond directly to the Data Subject Request unless expressly authorised to do so by the Customer, except to confirm that the request relates to the Customer.

      8.3. If the Customer is unable to respond independently, coherence shall, upon written request, provide reasonable assistance to facilitate the Customer’s response, provided such assistance is consistent with applicable Data Protection Laws.

    9. FURTHER ASSISTANCE

      9.1. coherence will provide assistance as Customer reasonably requests in relation to Customer's obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customer in response to a Security Breach, or (iii) Customer's compliance with its obligations under the EU GDPR or UK GDPR (as applicable) with respect to the security of processing.

      9.2. Assistance shall be provided to the extent reasonably required, proportionate to the processing activities, and consistent with the limits set out in the Main Agreement.

    10. INTERNATIONAL TRANSFERS

      10.1. The Customer acknowledges that use of the Services may involve the transfer and processing of Personal Data in countries other than the country of origin, including where coherence is based, and in countries outside the EEA or UK that are not recognised Adequate Countries.

      10.2. UK transfers:

      • 10.2.1. Where Personal Data is transferred to coherence and processed by or on behalf of coherence outside the UK (except if in an Adequate Country) and such transfer would be prohibited by the UK GDPR, the Parties agree that the EU Standard Contractual Clauses (SCCs), as amended by the UK Addendum, shall apply and are incorporated into this DPA
      • 10.2.2. The details required for Tables 1–4 of the UK Addendum are set out in Schedule 1.

      10.3. EU transfers:

      • 10.3.1. Where Personal Data is transferred to coherence and processed by or on behalf of coherence outside the EEA (except if in an Adequate Country) and such transfer would otherwise be prohibited by the EU GDPR, the Parties agree that the SCCs shall apply and are incorporated into this DPA in accordance with Schedule 2.
      • 10.3.2. The Annexes to Schedule 2 contain the details required by the SCCs.

      10.4. In case of any inconsistency between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum shall prevail for the purposes of the relevant transfer.

      10.5. coherence may replace the SCCs and/or UK Addendum with an alternative lawful transfer mechanism or updated version approved under applicable Data Protection Laws. coherence will notify the Customer of any such change and update this DPA as necessary, provided the replacement ensures a level of protection substantially equivalent to the original mechanism.

      10.6. Where the Customer exercises rights under the SCCs or UK Addendum that require services beyond those ordinarily provided under the Main Agreement, coherence may charge a reasonable fee for such services.

    11. GENERAL

      11.1. coherence may update this DPA from time to time to reflect changes in legal requirements, industry standards, or our business practices. No change will materially reduce the level of protection for Personal Data provided under this DPA. If you reasonably object to a change that materially impacts your rights under this DPA, you may notify us, and the Parties will work together in good faith to resolve the objection.

      11.2. This DPA constitutes the final, complete, and exclusive agreement between the Parties regarding its subject matter and supersedes all prior discussions or agreements relating to it. Other than for statements made fraudulently, no other representations or terms apply. No modification, amendment, or waiver will be effective unless made in writing (including electronic form) and confirmed by both Parties.

      11.3. This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement which shall continue to have full force and effect.

      11.4. This DPA supplements the Main Agreement. In the event of any conflict between the DPA and the Main Agreement, the DPA (including its Schedules) shall prevail in respect of the processing of Personal Data. If there is any inconsistency between this DPA and the EU Standard Contractual Clauses or the UK Addendum (where applicable), the latter shall prevail.

      11.5. To the extent permitted by applicable law, coherence’s maximum aggregate liability to the Customer under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of coherence to the Customer as set out in the Main Agreement.

      11.6. This DPA shall be governed by, and construed in accordance with, the laws of Denmark, excluding its conflict of law rules. The Parties submit to the exclusive jurisdiction of the courts of Copenhagen, Denmark.

      11.7. This DPA is for the benefit of the Parties and their respective permitted successors and assigns only. No other person has any rights to enforce its terms.

      11.8. Each Party warrants that it has the full power and authority to enter into and perform this DPA, and that this DPA is binding and enforceable against it in accordance with its terms.

      11.9. This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together form a single agreement.


    SCHEDULE 1: UK TRANSFERS

    For the purposes of the UK Approved Addendum,

    1. The information required for Table 1 is contained in ANNEX I of Schedule 2 of this DPA and the start date shall be deemed dated the same date as the EU Clauses;
    2. In relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor;
    3. in relation to Table 3, the list of Parties and description of the transfer are as set out in ANNEX I of Schedule 2 of this DPA, coherence’s' technical and organisational measures are set in ANNEX II of Schedule 2 of this DPA, and the list of coherence’s sub-processors shall be provided pursuant to ANNEX III of Schedule 2 of this DPA; and
    4. In relation to Table 4, neither Party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.

    SCHEDULE 2: EU CLAUSES

    1. For the purposes of this Schedule 2, the EU Standard Contractual Clauses (Module Two – Controller to Processor), as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, are incorporated by reference into and form an integral part of this DPA. The Parties’ signatures to this DPA shall be deemed to apply to the EU Clauses. In the event of any inconsistency between this DPA and the EU Clauses, the latter shall prevail.
    2. For the purposes of the EU Clauses, the following shall apply:
      • Customer shall be the data exporter and coherence shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU Clauses.
      • Clause 7 (Docking clause) shall be deemed as included.
      • Clause 9 (Use of sub-processors): OPTION 2 - GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance.
      • Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
      • Clause 13 (a) (Supervision):
        • Where Customer is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I. C, shall act as competent supervisory authority.
        • Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I. C, shall act as competent supervisory authority.
        • Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I. C, shall act as competent supervisory authority.

    ANNEX I to Schedule 2

    LIST OF PARTIES

    The Data Exporter is the agreeing Party to this DPA (Customer, as described in the DPA above), providing multiplayer games or other services, as controller.

    The Data Importer is coherence ApS, Mågevej 27, 2680 Solrød Strand, Denmark, as processor.

    DESCRIPTION OF TRANSFER

    Categories of data subjects whose Personal Data is transferred

    • Online Players
    • Application Users

    Categories of Personal Data transferred

    • Player name
    • User ID
    • IP address
    • Device manufacturer / model, OS and version running on your system or device.

    Personal Data collected in games built with coherence is used to create and administer player accounts, to maintain and improve stability and reliability of our Services, and to understand network load and traffic on a statistical level.

    No sensitive data is transferred.

    The transfers are continuous while providing the Services.

    Personal Data will be retained for the duration of the Main Agreement.


    ANNEX II to Schedule 2

    coherence shall implement appropriate technical and organizational measures, considering the state of the art, implementation costs, processing purposes, and risks to individuals’ rights and freedoms, to ensure security appropriate to the risk, including:

    • Network Security
      • Implementation of firewalls and network segmentation.
      • Backend services operate within a private Virtual Private Cloud (VPC), ensuring complete isolation between environments.
    • Data Encryption
      • End-to-end encryption is enforced for all data, both in transit and at rest.
    • Access Control
      • Strict access controls are maintained through multi-factor authentication and role-based access control.
      • Secure VPN access is mandatory for all infrastructure connections.
    • Vulnerability Management
      • We perform regular security updates and continuous vulnerability scanning.
      • GitHub Dependabot is utilized for automated dependency updates and reporting of known vulnerabilities.
    • Backup and Recovery
      • Automated backup systems (AWS) with recovery procedures in place.
    • Monitoring and Incident Response
      • Monitoring and logging systems are active across the infrastructure.
      • An incident response plan is established to detect, escalate, and manage operational events.

    ANNEX III to Schedule 2

    Last Updated: August 12th, 2025

    To support delivery of our Services, coherence may engage and use data processors with access to certain Customer Data (Sub-processor). This annex provides important information about the identity, location and role of each Sub-processor.

    Third Parties

    coherence currently uses third party Sub-processors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Sub-processor, coherence performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.

    Infrastructure Subprocessors

    coherence may use the following Sub-processors to host Customer data or provide other infrastructure that helps with delivery of our Services:

    Entity Name Sub-processing Activities Entity Country
    Amazon Web Services Cloud Service Provider USA
    Google Email, file storage, collaboration USA
    Xsolla Payment Provider USA
    Sendgrid Email Marketing USA
    Posthog Analytics USA
    Slack Communication USA
    Pipedrive CRM USA
    Discourse Community USA
    Twilio Cloud Communications USA
    DocuSign Document Management USA

    Updates

    The Sub-processors we use may change in the future. We will endeavor to provide the Customer with notice of any new Sub-processors to the extent required under the Agreement, along with posting such updates here.