← Back to home

Data Processing Agreement

Last updated: 2026-05-22 · v1.0

This Data Processing Agreement (“DPA”) sets out the terms under which suPlay BV (“Processor”) processes Personal Data on behalf of the Customer (“Controller”) in connection with The Beer Game platform (“Service”). It is designed to meet the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

When this DPA is needed. Most use of The Beer Game is by individual instructors signing up for their own account and inviting their students to anonymous, single-session play. In that scenario the instructor is the controller for their own account data and there is no further controller–processor relationship. A signed DPA becomes relevant when an institution (university, school, training company) procures the Service centrally for its staff.

How to sign: request a PDF copy by emailing privacy@suplay.nl, complete Annex A with your organisation’s details, sign, and return. We will counter-sign within five business days.

1. Definitions

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Subprocessor”, “Data Subject” have the meanings given in the GDPR.
• “Service” means The Beer Game platform as described in our Terms of Service.
• “Main Agreement” means the Terms of Service and any signed order form under which the Controller uses the Service.

2. Subject matter and duration

This DPA applies to all Processing of Personal Data carried out by suPlay BV on behalf of the Controller under the Main Agreement. It is in force for the duration of the Main Agreement and survives until all Personal Data processed hereunder has been deleted in accordance with §10.

3. Nature and purpose of processing

The Processor processes Personal Data solely to provide the Service: operating instructor accounts, hosting Beer Game sessions, sending transactional email (verification, password reset, classroom invitations), and producing CSV exports for the instructor’s own debriefs. A description of Processing activities, categories of Data Subjects, and categories of Personal Data is set out in Annex B.

4. Documented instructions

The Processor processes Personal Data only on documented instructions from the Controller. Use of the Service through its documented user interfaces constitutes such instructions. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

5. Confidentiality of personnel

The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security (Art. 32)

The Processor implements appropriate technical and organisational measures, described in full at /security. Measures include, at minimum:

• TLS 1.2+ for all external traffic; HSTS enforced.
• Encryption of off-site backups at rest (GPG-AES256; passphrase held only by suPlay BV).
• bcrypt password hashing; SHA-256 token hashing for invitation and verification tokens.
• Stateless CSRF tokens on all state-changing endpoints.
• Rate limiting on login (5 attempts / 15 min) and email-verification code endpoints.
• Strict security headers (X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy).
• Server-authoritative game engine — no game state is trusted from the client.
• Hardened OS (AlmaLinux 9 on AlmaLinux/Apache, SELinux enforcing, key-only SSH on a non-default port).

7. Subprocessors

The Controller authorises the Processor’s engagement of the Subprocessors listed on our Subprocessors page as of the Effective Date. The Processor will:

• Impose contractual obligations on each Subprocessor no less protective than this DPA.
• Give the Controller at least 30 days’ written notice before adding or replacing any Subprocessor.
• Allow the Controller to object on reasonable grounds within that 30-day period; if the objection cannot be resolved, the Controller may terminate the affected subscription on a pro-rata basis.

8. Assistance (Arts. 28(3)(e), (f))

Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to Data Subject rights requests (Chapter III GDPR), data breach notification, and prior consultation with the supervisory authority.

• Instructor users: self-service via /app/account (access, rectification, erasure of the account).
• Student / participant requests: on request via privacy@suplay.nl within 30 days. In practice, student participation is anonymous (alias only) and short-lived; we do not link aliases to real identities.

9. Personal-data breach notification (Art. 33)

The Processor notifies the Controller without undue delay, and in any case within 72 hours of becoming aware, of any Personal Data breach affecting the Controller’s data. The notification will describe the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and remediation measures taken or proposed.

10. Return or deletion of Personal Data

On termination of the Main Agreement, the Controller may export its instructor account data, session leaderboards, and per-session CSVs for 30 days. After that period, the Processor deletes all Personal Data processed under this DPA within 90 days, including from database backups on their next rotation, unless Union or Member State law requires longer storage (for example, Dutch tax law requires billing records to be retained for seven years).

11. Audit (Art. 28(3)(h))

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, including this DPA, the Subprocessors page, and the Security overview. The Processor supports remote, questionnaire-based audits at no cost, and on-site audits at the Controller’s reasonable expense, limited to once per calendar year unless required by a supervisory authority.

12. International transfers

All primary processing and backups occur within the European Economic Area. Where any Personal Data is transferred outside the EEA to a Subprocessor, the transfer is made on the basis of the European Commission’s Standard Contractual Clauses (Decision 2021/914 or any successor), unless the recipient country has an adequacy decision under Art. 45 GDPR.

13. Liability and order of precedence

Each party’s liability under this DPA is subject to the liability limits of the Main Agreement. In case of conflict between this DPA, the Main Agreement, and the GDPR, the GDPR prevails, then this DPA, then the Main Agreement.

14. Governing law and jurisdiction

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the District Court of Overijssel (Rechtbank Overijssel, locatie Almelo), without prejudice to a Data Subject’s statutory rights of complaint to a supervisory authority.

---

Annex A — Parties (to be completed by the Customer)

Processor: suPlay BV, Enschede, The Netherlands. KvK: 70176264. VAT: NL858175691B01. Data Protection contact: privacy@suplay.nl.

Controller:

• Legal name: ____________________________________
• Registered address: ____________________________
• Company / institution registration: _____________
• VAT ID: ___________________________________________
• Represented by (name, title): ____________________
• Privacy contact (name, email): ____________________
• Effective date: ___________________________________

Annex B — Processing description

Subject matter and duration: operation of The Beer Game platform for the duration of the Main Agreement.

Nature and purpose: delivering a multiplayer educational simulation of a four-tier supply chain (Retailer, Wholesaler, Distributor, Factory) for use in classroom teaching of operations management. Includes instructor accounts, classroom session hosting, transactional email, and per-session CSV exports for debriefs.

Categories of Data Subjects:

• Instructor users — the Controller’s teaching staff or contractors who create accounts and host sessions.
• Student / participant respondents — individuals who join a session via a code or QR code under a self-chosen alias. The Service does not require students to identify themselves and stores no email address for them.

Categories of Personal Data:

• Instructor contact data: name, email address, employer (optional), role.
• Instructor authentication data: bcrypt-hashed password, session identifiers.
• Game data: self-chosen player alias, role assignment, order/inventory time series, brief in-chain chat messages.
• Technical log data: IP address, user-agent, request path, timestamp (retained 90 days maximum).

Special categories of data: none are knowingly processed. The Controller is responsible for ensuring students do not submit special-category data (Art. 9 GDPR) through chat fields or self-chosen aliases.

Processing operations: collection, storage, in-memory simulation, display to authorised parties (instructor and in-chain players), transmission to Subprocessors for email and error monitoring, erasure on request or schedule.

Annex C — Subprocessors

The current list of Subprocessors is maintained on our Subprocessors page and incorporated into this DPA by reference.