Data Processing Agreement - Discord as a Processor

Buffy
  • Updated

Effective Date: January 22, 2026

Data Processing Agreement (Discord as Processor)

This Data Processing Agreement ("Agreement") applies to Personal Data Processing activities that Discord performs as a Processor (or equivalent term in applicable Data Privacy Laws) on behalf of Partner pursuant to applicable product terms, such as the Custom Audiences Agreement ("Applicable Product Terms"). To the extent there is any conflict between this Agreement, the Business Terms and the Applicable Product Terms, the terms of this Agreement prevail with respect to the subject matter of this Agreement. 

Unless otherwise defined herein, all capitalised terms shall have the meaning given to them in the Applicable Product Terms.

Partner and Discord agree as follows:

1. Definitions. For purposes of this Agreement:

a. “Affiliate(s)” means any entity which (directly or indirectly) controls, is controlled by and/or under common control with a party.

b. “Controller” has the meaning set out in the UK GDPR and/or EU GDPR, as applicable.

c. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any amendments thereto (“CCPA”), the Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Iowa Consumer Data Protection Act, Maryland Online Data Privacy Act, Montana Consumer Data Privacy Act, Nebraska Data Privacy Act, New Hampshire Privacy Act, New Jersey Data Protection Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, or Virginia Consumer Data Protection Act, the UK Data Protection Act 2018, the General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”), the EU GDPR as it forms part of UK law (“UK GDPR”), the ePrivacy Directive (2002/58/EC), Brazil’s Lei Geral de Proteção de Dados, Law No. 13,709/2018 (“LGPD”), South Korea’s Personal Information Protection Act, Act No. 14839 (“PIPA”), and any laws or regulations succeeding or implementing the foregoing.  For the avoidance of doubt, if Discord’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Agreement.

d. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates. 

e. “EU SCCs” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj as described and completed in the “International Data Transfers” section below.

f. “Personal Data” means any Customer Data that qualifies as “personal data,” “personal information,” and “personally identifiable information,” all as defined by the applicable Data Privacy Laws and is Processed by Discord as a Processor (or equivalent term in applicable Data Privacy Laws).

g. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

h. “Processor” has the meaning set out in the UK GDPR and/or EU GDPR, as applicable.

i. “Processor Services” means the Processing activities carried out by Discord under the applicable Applicable Product Terms for which Discord is designated as a Processor (or equivalent term in applicable Data Privacy Laws).

j. “Restricted Transfer” means a transfer of Personal Data that is subject to Data Privacy Laws of another country or jurisdiction, including to a country that does not provide an adequate level of protection for Personal Data according to Data Privacy Laws.

k. “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

l. “UK SCCs” means the International Data Transfer Agreement to the EU Commission Standard Contractual Clauses (available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ ) as described and completed in the “International Data Transfers” section below.

2. Scope and Purposes of Processing

a. This Agreement covers the processing by Discord for when it acts as a processor of Personal Data for the performance of the services as described in the Applicable Product Terms.  The parties agree that under this Agreement, Partner acts as Controller and Discord as Processor, as determined by Data Privacy Laws. 

b. Partner instructs Discord to provide the Processor Services. Discord will not process the Personal Data for other purposes, unless required to do otherwise by Data Privacy Laws to which Discord is subject. In such a case, Discord will inform Partner of that legal requirement before Processing, unless that law prohibits Partner from providing such information on important grounds of public interest within the meaning of Data Privacy Laws. 

c. Discord will not share the Personal Data with any third party except where such sharing is: (i) in accordance with the applicable Advertiser Terms; (ii) to a Subprocessor in accordance with Section 7; or (iii) otherwise in accordance with Partner’s documented instructions.

d. Discord will immediately inform Partner if, in Discord’s opinion, an instruction from Partner infringes Data Privacy Laws.

e. Schedule 1 of this Agreement sets out the nature, duration and purpose of the Processing, the types of Personal Data that Discord Processes and the categories of Data Subjects whose Personal Data is Processed.

f. To the extent the Personal Data is subject to the CCPA, the parties acknowledge and agree that each understands the restrictions set forth in this section and represents that it shall comply with all applicable sections of the CCPA. Further, the parties acknowledge and agree that Partner is a business and that it appoints Discord as its service provider to process Personal Data as permitted under the Applicable Product Terms and this Agreement. Discord agrees that it: 

  1. will not "sell" or “share” Personal Data as defined in the CCPA; 
  2. will not use, disclose or retain Personal Data for any purpose outside of the direct business relationship between Partner and Discord; 
  3. shall limit the collection, sale or use of Personal Data except as necessary for the Discord to provide the services for which it was retained by Partner;
  4. will not use Personal Data for any purpose other than as permitted under the Advertising Terms, this Agreement and the CCPA; 
  5. shall provide the same level of protection to Personal Data as required by businesses under the CCPA;
  6. will not, without Partner’s prior written consent or as otherwise described in this Agreement or the applicable Applicable Product Terms, combine Personal Data with any other data or attempt to link, identify, or otherwise create a relationship between Data and other data. 

3. Compliance with Data Privacy Laws

a. Each Party shall comply with its respective obligations under the Data Privacy Laws in respect of Personal Data Processed pursuant to this Agreement.  

4. Personal Data Processing Requirements. Discord will: 

a. ensure that the persons it authorizes to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

b. upon written request of Partner, assist Partner, taking into account the nature of the Processing, by appropriate technical and organisational measures and in so far as is possible, in the fulfillment of Partner’s obligations to respond to requests by Data Subjects for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data). 

c. promptly notify Partner of (i) any Data Subject requests regarding the Processing of Personal Data under the Applicable Product Terms; or (ii) any Data Subject requests for access to or information about Discord’s Processing of Personal Data on Partner’s behalf, unless prohibited by Data Privacy Laws. 

d. at Partner’s request and expense, provide reasonable assistance to and cooperate with Partner in respect of any data protection impact assessments required in relation to the Processing of Personal Data pursuant to this Agreement.

e. at Partner’s request and expense, provide reasonable assistance to and cooperate with Partner in respect of any consultation with regulatory authorities required in relation to the Processing of Personal Data pursuant to this Agreement.

5. Data Security. Discord will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Data Security Terms

6. Personal Data Breach. Discord will notify Partner promptly of any Personal Data Breach. In the event of a Personal Data Breach, Discord will assist Partner in Partner’s compliance with its Personal Data Breach notification related obligations. Discord will:

a. Take steps to mitigate the effects of the Personal Data Breach and reduce the risk to Data Subjects whose Personal Data was involved; and

b. Provide Partner with the following information: 

i. The nature of the Personal Data Breach, including, where possible, what happened, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;

ii. The likely consequences of the Personal Data Breach; and

iii. Measures taken or proposed to be taken by Discord to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7. Subprocessors

a. Partner acknowledges and agrees that Discord has general authorisation to use Discord Affiliates and other subcontractors (“Subprocessors”) to Process Personal Data in accordance with the provisions within this Agreement and Data Privacy Laws. A current list of Discord’s Subprocessors relevant for this Agreement is in the attached Schedule 2, and Partner hereby consents to Discord’s use of such Subprocessors. 

b. Where Discord sub-contracts any of its rights or obligations concerning Personal Data, including to any Affiliate, Discord will (i) enter into a written agreement with each Subprocessor that imposes obligations on the Subprocessor that are no less onerous than those imposed on Discord under this Agreement; and (ii) where any Subprocessor fails to fulfill its obligations under the written agreement, Discord will remain liable for the performance of such Subprocessor’s obligations thereunder or breach thereof.

c. Discord shall notify Partner if it adds or removes Subprocessors at least 30 days prior to any such changes. In the event Partner objects to a new subcontractor, Discord will use reasonable efforts to make available to Partner a change in the services or recommend a commercially reasonable change to Partner’s use of the services to avoid Processing of Personal Data by the objected-to subcontractor without unreasonably burdening Partner. 

8. International Data Transfers

a. Partner acknowledges and agrees that Discord may Process or transfer any Personal Data in or to a territory other than the territory in which the Personal Data was first collected under the Applicable Product Terms, including as set out in Schedule 2.  Discord will take all such measures as are necessary to ensure that any such Processing or transfer is in compliance with Data Privacy Laws. 

b. Transfer Mechanisms. To the extent that a transfer of Personal Data from Partner to Discord constitutes a Restricted Transfer to a country which does not benefit from an absolute adequacy decision  under the Data Privacy Laws, the following shall apply, as applicable:

i. Data Transfers Subject to a Data Privacy Framework. For transfers of Personal Data from Partner to Discord in the US, Discord is certified under the EU-US Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework (collectively the “Alternative Transfer Mechanisms”) and the Alternative Transfer Mechanisms constitute the valid transfer mechanism. Notwithstanding the above, if a court of competent jurisdiction or supervisory authority orders that the Alternative Transfer Mechanism cannot be relied on to lawfully transfer Personal Data to the United States, then the Parties agree that the data transfer mechanisms in Sections 8.b.ii-iv., shall apply.

ii. EU Data Transfers.  If Section 8(b)(i) does not apply, then with respect to Personal Data subject to the EU GDPR, the Partner and Discord agree to comply with the EU SCCs which shall form part of this Agreement, and take precedence over the rest of this Agreement as set forth in the EU SCC, and shall be completed as follows:

  1. Discord acts as Partner’s Processor, therefore Module Two of the EU SCCs shall apply.   
  2. Clause 7 (the optional docking clause) is not included.
  3. Under Clause 9 (Use of subprocessors), the parties select Option 2 (General written authorization). The initial list of subprocessors is set forth below in Schedule 2 of this Agreement, and Discord shall update that list and inform Partner in writing at least 30 business days in advance of any intended additions or replacements of subprocessors.
  4. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
  5. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The parties select the law of The Netherlands.  All procedures will be conducted in English.
  6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts in the City of Amsterdam, The Netherlands. 
  7. Annexes I and II of the EU SCCs are set forth in Schedule 3 of the Agreement.
  8. Annex III of the EU SCCs (List of subprocessors) is set forth in Schedule 2.
  9. By entering into this Agreement, the Parties are deemed to be signing the EU SCCs.

iii. UK Data Transfers. With respect to Personal Data subject to the UK GDPR, the Partner and Discord agree to comply with the UK SCCs which shall form part of this Agreement and take precedence over the rest of this Agreement as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. As permitted by clause 17 of the UK SCCs, the Parties agree to change the format of the information set out in Part 1 of the UK SCCs so that:

  1. Table 1 of the UK SCCs: The Parties’ details shall be the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Schedule 3. The Key Contact shall be the contacts set forth in Schedule 3.
  2. Table 2 of the UK SCCs: The UK SCCs shall be appended to the EU SCCs as referenced above in Section 8(b)(ii).
  3. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedule 3.
  4. Table 4 of the UK SCCs: A party may end this Agreement as set out in Section 19 of the UK SCCs.
  5. By entering into this Agreement, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.

iv. Swiss Data Transfers. With respect to Personal Data transferred from Switzerland for which the Swiss Federal Act on Data Protection (“FADP”) (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs shall apply and shall be deemed to have the following differences to the extent required by the FADP as follows:

  1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
  2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
  3. References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
  4. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR. 

9. Audit, Compliance and Remediation. Discord will make available to Partner information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Partner or another auditor (at Partner’s sole cost and expense) designated by Partner on reasonable notice by Partner and no more frequently than once every 12 months.  Partner shall conduct audits during standard working hours and use all reasonable endeavours to minimise disruption to Discord. 

10. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Discord will, at the choice of Partner, return to Partner and/or securely destroy all Personal Data upon (a) written request of Partner or (b) termination of the Applicable Product Terms. Except to the extent prohibited by Data Privacy Laws, Discord will inform Partner if it is not able to return or delete any Data. 

11. Term. The effective date of this Agreement is the date of the latest signature of a Party. This Agreement shall remain in force for the duration of the Applicable Product Terms and for long as Discord processes Personal Data.

12. Survival. The provisions of this Agreement survive the termination or expiration of the Applicable Product Terms for so long as Discord or its subcontractors Process any Personal Data.  

Schedule 1

DETAILS OF PERSONAL DATA PROCESSING

Category Instruction
i. Subject matter, nature, and purpose of Processing   Discord will process Customer Data to provide the Processor Services
ii. Duration of Processing of Personal Data Discord will process Personal Data as described in the Applicable Product Terms
iii. Categories of Personal Data  Basic identifiers, contact information
iv. Categories of Data Subjects Partner’s customers and prospects
v. Frequency of processing Continuous as required to provide the Processor Services
vi. Transfers to Processors and Subprocessors

Discord transfers Personal Data to Subprocessors in connection with the Processor Services. 


 
vii. Sensitive Personal Data (if applicable)  None

Schedule 2

LIST OF SUBPROCESSORS

Subprocessor Name Address Country Purpose of Processing
Google Cloud Platform 

1600 Amphitheatre Parkway 

Mountain View, CA 94043 

 Global  Cloud Data Hosting and Infrastructure Provider 
LiveRamp, Inc

225 Bush Street, 17th Floor

San Francisco, CA 94104

 Global Advertising services support

Schedule 3

Annexes I and II of the EU SCCs

ANNEX I

  1. LIST OF PARTIES

[X] MODULE TWO (Transfer controller to processor)
 

Data exporter(s): Partner who has elected to use the Business Services in conjunction with the applicable Insertion Order or other ordering document.
 

Activities relevant to the data transferred under these Clauses: Obtaining the Processor Services from Data Importer

Role (controller/processor): Controller
 

Data importer(s): 

Name: Discord Inc. and its Affiliates

Address: 444 De Haro Street, Suite 200, San Francisco, CA 94107

Contact person’s name, position and contact details: 

Luke Perdue, Data Protection Officer, privacy@Partnerapp.com

Activities relevant to the data transferred under these Clauses: Providing the Processor Services to Data Exporter.

Role (controller/processor): Processor

  1. DESCRIPTION OF TRANSFER 

[X] MODULE TWO (Transfer controller to processor)
 

See Schedule 1 to the Agreement for the Categories of Data Subjects, Personal Data Transferred and Frequency of Transfer.

  1. COMPETENT SUPERVISORY AUTHORITY

The parties shall follow the rules for identifying the competent supervisory authority under Clause 13 of the EU SCCs and, to the extent legally permissible, select the Dutch Data Protection Authority.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See Data Security Terms of the Agreement for the description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

ANNEX III
LIST OF SUBPROCESSORS
See Schedule 2.

Related articles