Data Processing Addendum (DPA)
Last updated: June 12, 2026.This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other agreement (the “Agreement”) between the operator of cs.cheap (“Processor,” “we,” “us,” or “our”) and the customer entity that is party to the Agreement (“Controller” or “Customer”).
This DPA applies only where Processor processes Personal Data on behalf of Controller in connection with the Services. Where you use the Services solely for your own personal account, our Privacy Policy governs and this DPA does not apply.
1. Definitions
- “Applicable Data Protection Law” means all applicable privacy and data protection laws, including (where applicable) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), UK GDPR, and the California Consumer Privacy Act as amended (“CCPA/CPRA”).
- “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
- “Processing” has the meaning set forth under Applicable Data Protection Law.
- “Subprocessor” means any third party engaged by Processor to process Personal Data on behalf of Controller.
2. Roles of the Parties
The parties acknowledge and agree that:
- Controller is the data controller (or business, as defined under CCPA/CPRA) of the Personal Data of its personnel and authorized users covered by this DPA.
- Processor is the data processor (or service provider) of such Personal Data.
- Processor processes such Personal Data solely on behalf of Controller and does not determine the purposes or means of its processing except as necessary to provide the Services.
For account administration, billing and payment records, security, fraud and abuse prevention, legal compliance, and support operations, we may also process certain personal data as an independent controller (or business) for our own purposes, as described in our Privacy Policy. Such processing is outside the scope of this DPA.
3. Scope and Nature of Processing
3.1 Subject Matter
Provision of the cs.cheap website and API for Counter-Strike item price data and related account, subscription, and billing functionality.
3.2 Duration
For the term of the Agreement and until deletion or return of Personal Data in accordance with Section 10.
3.3 Nature and Purpose
Processing necessary to:
- Authenticate Controller's authorized users and secure their accounts
- Manage account-level access metadata, API key records, subscription status, and usage metadata received from or associated with the Services
- Manage subscriptions, credits, and payment records
- Generate authentication and security logs
- Prevent fraud and abuse
- Maintain service integrity
3.4 Categories of Data Subjects
- Customer personnel and authorized users
3.5 Categories of Personal Data
May include:
- Identifiers (e.g., email, SteamID, GitHub identity, user ID)
- Authentication credentials (e.g., hashed passwords, session tokens) and API keys
- Billing and usage metadata
- Login metadata (e.g., IP address, device info) and security logs
Sensitive personal data is not required for the Services.
4. Processor Obligations
Processor shall:
- Process Personal Data only on documented instructions from Controller.
- Ensure personnel authorized to process Personal Data are subject to confidentiality obligations.
- Implement appropriate technical and organizational measures to protect Personal Data, as described in Annex II.
- Notify Controller without undue delay upon becoming aware of a Personal Data Breach.
- Assist Controller, taking into account the nature of processing, in responding to data subject requests.
- Assist Controller in meeting obligations related to security, breach notification, impact assessments, and regulatory consultations, where applicable.
5. Subprocessors
Processor may engage Subprocessors to provide the Services. Current Subprocessors include cloud hosting and serverless compute providers, Neon (database), Resend (email delivery), and Cloudflare (bot protection).
Independent services that the Services integrate with — including Steam and GitHub (sign-in) and NOWPayments (payment processing) — act as independent controllers of the data they process and are not Subprocessors under this DPA; see our Privacy Policy.
Processor shall:
- Maintain a current list of Subprocessors available upon request.
- Impose data protection obligations on Subprocessors consistent with this DPA.
- Remain responsible for Subprocessor performance.
Controller may object to a new Subprocessor on reasonable data protection grounds within 10 days of notice.
6. International Transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, Processor shall ensure appropriate safeguards are in place, including the Standard Contractual Clauses set forth in Exhibit A.
7. Security Measures
Processor maintains an information security program comprising the technical and organizational measures described in Annex II of Exhibit A.
8. Audit Rights
Upon reasonable written notice, Controller may request documentation demonstrating Processor's compliance with this DPA. On-site audits shall be limited to once annually and subject to reasonable confidentiality and security restrictions.
9. CCPA/CPRA Terms
Processor shall:
- Not “sell” or “share” Personal Data as those terms are defined under the CCPA/CPRA.
- Not retain, use, or disclose Personal Data outside the direct business relationship or for any purpose other than providing the Services.
- Comply with applicable obligations of a service provider under CCPA/CPRA.
10. Return and Deletion
Upon termination of the Agreement, Processor shall delete or return Personal Data, unless retention is required by law.
11. Liability
Liability under this DPA is subject to the limitations of liability set forth in the Agreement.
Exhibit A — Standard Contractual Clauses (SCCs)
For transfers of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to countries not recognized as providing an adequate level of data protection, the parties agree as follows:
- The Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) are hereby incorporated by reference.
- Module Two (Controller to Processor) applies where Controller acts as controller and Processor acts as processor.
- Module Three (Processor to Processor) applies where relevant.
- In Clause 7, the optional docking clause applies.
- In Clause 9, Option 2 applies and the time period for prior notice of Subprocessor changes shall be as set forth in Section 5 of this DPA.
- In Clause 11, the optional language does not apply.
- In Clause 17, the governing law shall be the law of Ireland (or another EU Member State agreed by the parties).
- In Clause 18(b), disputes shall be resolved in the courts of Ireland.
- For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs is incorporated by reference.
- Annexes I, II, and III to the EU SCCs are completed as set forth below.
Annex I.A — List of Parties
- Data exporter: the Customer entity that is party to the Agreement, acting as controller. Contact details: as provided in the Customer's account.
- Data importer: the operator of cs.cheap, acting as processor. Contact: [email protected].
Annex I.B — Description of Transfer
- Categories of data subjects: as described in Section 3.4 of this DPA.
- Categories of personal data: as described in Section 3.5 of this DPA. No sensitive data is transferred.
- Frequency of the transfer: continuous, for the duration of the Agreement.
- Nature and purpose of the processing: as described in Sections 3.1 and 3.3 of this DPA.
- Retention period: for the term of the Agreement and until deletion or return under Section 10; billing records may be retained longer where required by tax and accounting law.
- Transfers to Subprocessors: as described in Section 5 and Annex III.
Annex I.C — Competent Supervisory Authority
The supervisory authority of the EU Member State in which the data exporter is established. Where the data exporter is not established in the EU, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs; absent such determination, the Irish Data Protection Commission.
Annex II — Technical and Organizational Measures
- Encryption of data in transit (TLS)
- Passwords stored hashed; API keys stored hashed or otherwise secured, never exposed to client-side code or logged in plaintext
- Logical access controls on a least-privilege basis, with periodic access review
- Multi-factor authentication for administrative access
- Security monitoring and audit logging
- Backup and recovery procedures
- Secure software development practices, including dependency review
- Incident response procedures, including breach notification as described in Section 4
Annex III — Subprocessors
The Subprocessors listed in Section 5 of this DPA.
The full text of the EU SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
This DPA is published in English, Simplified Chinese, and Russian. If there is any inconsistency between a translated version and the English version, the English version controls to the extent permitted by law.
By using the Services, the parties agree to this DPA.