This Data Processing Agreement ("DPA") forms part of the agreement betweenGo2 ("Processor", "we", "us", or "Go2") and you ("Controller", "Customer", or "you") for the provision of the Go2services as described in our Terms of Service (the "Agreement").
This DPA applies where and only to the extent that Go2 processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws.
The purpose of this DPA is to ensure that the processing of Personal Data byGo2 on behalf of the Customer complies with applicable data protection regulations, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), UK GDPR, and other applicable data protection laws.
By using Go2 services, you agree to the terms of this DPA. For enterprise customers requiring a signed copy, please contact legal@go2.gg.
In this DPA, the following terms shall have the meanings set out below:
| Term | Definition |
|---|---|
| Controller | The entity which determines the purposes and means of the processing of Personal Data (i.e., the Customer). |
| Processor | The entity which processes Personal Data on behalf of the Controller (i.e., Go2). |
| Sub-processor | Any third party engaged by the Processor to process Personal Data on behalf of the Controller. |
| Personal Data | Any information relating to an identified or identifiable natural person ("Data Subject"). |
| Data Subject | An identified or identifiable natural person whose Personal Data is processed. |
| Processing | Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion. |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. |
| Data Protection Laws | GDPR, UK GDPR, CCPA, and any other applicable data protection legislation. |
| SCCs | Standard Contractual Clauses approved by the European Commission for international data transfers. |
This DPA applies to the processing of Personal Data that the Customer submits to Go2 or that is collected through the Customer's use of the Service, including:
| Data Type | Examples |
|---|---|
| Technical identifiers | IP addresses (anonymized after processing), device fingerprints |
| Location data | Approximate geographic location (country, region, city) derived from IP |
| Device information | Browser type, operating system, device type |
| Referrer data | Source URL, UTM parameters |
Go2 processes Personal Data solely for the following purposes:
Processing will continue for the duration of the Agreement, plus any retention period required by law or as specified in the data retention schedule.
Go2 shall process Personal Data only on documented instructions from the Controller, unless required by law. The Controller's instructions are documented in:
Go2 will immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws. Go2 may suspend the relevant processing until the Controller confirms or modifies the instruction.
Go2 ensures that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Go2 shall not:
Go2 implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.3 for all data transmission |
| Encryption at rest | AES-256 encryption for stored data |
| Access controls | Role-based access control (RBAC), principle of least privilege |
| Authentication | Strong password policies, multi-factor authentication |
| Network security | Firewalls, DDoS protection, intrusion detection |
| Monitoring | 24/7 security monitoring, logging, and alerting |
Our infrastructure providers maintain the following certifications:
The Controller provides general authorization for Go2 to engage sub-processors to assist in providing the Service. A current list of sub-processors is available in our Privacy Policy.
Before engaging any sub-processor, Go2 shall:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, security | Global (Edge) |
| Stripe, Inc. | Payment processing | United States |
| PostHog Inc. | Product analytics | European Union |
Go2 will notify the Controller of any intended changes to sub-processors at least 30 days in advance by:
The Controller may object to a new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the Agreement.
Go2 will assist the Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:
If Go2 receives a request directly from a Data Subject regarding the Controller's data, Go2 will promptly notify the Controller and will not respond to the request without the Controller's authorization, unless required by law.
The Controller can use the Go2 dashboard and API to:
Go2 will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting the Controller's data.
The notification will include, to the extent known:
Go2 will cooperate with the Controller and take reasonable steps to assist in investigating, mitigating, and remediating the breach.
Unsuccessful attacks (e.g., blocked intrusion attempts, pings, port scans) that do not result in unauthorized access to Personal Data do not constitute a Personal Data Breach.
Go2 will make available to the Controller all information necessary to demonstrate compliance with this DPA, including:
The Controller (or an independent auditor appointed by the Controller) may conduct audits to verify Go2's compliance with this DPA, subject to:
Go2 may satisfy audit requests by providing existing third-party audit reports (e.g., SOC 2) that cover the relevant controls.
Upon termination of the Agreement or at the Controller's request, Go2will:
Go2 may retain Personal Data to the extent required by applicable law, provided that:
Go2 will ensure that sub-processors delete Personal Data in accordance with the same requirements.
When transferring Personal Data to countries outside the EEA that do not have an adequacy decision, Go2 implements appropriate safeguards including:
Go2 has conducted transfer impact assessments for data transfers to our sub-processors and can provide these assessments to Customers upon request.
If Go2 receives a legally binding request from a government authority for access to Personal Data, Go2 will:
For transfers of Personal Data from the EEA to countries without an adequacy decision, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference:
For transfers from the UK, the UK International Data Transfer Addendum (IDTA) to the EU SCCs is incorporated as applicable.
For transfers from Switzerland, the SCCs apply with the modifications specified by the Swiss Federal Data Protection and Information Commissioner.
In case of conflict between this DPA and the SCCs, the SCCs shall prevail to the extent of the conflict.
This DPA shall remain in effect for the duration of the Agreement betweenGo2 and the Controller.
The following provisions shall survive termination:
Go2 may update this DPA from time to time to reflect changes in legal requirements or our processing activities. Material changes will be notified at least 30 days in advance.
Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.
Each party shall indemnify the other for any fines or penalties imposed by a supervisory authority to the extent directly arising from that party's violation of Data Protection Laws.
Go2 remains fully liable to the Controller for the performance of sub-processor obligations under this DPA.
For questions about this Data Processing Agreement or to exercise any rights under this DPA:
Enterprise customers may request customized DPA terms by contacting our legal team.
Related Documents
Questions about this policy? Contact us at legal@go2.gg
Go2 - Data Processing Agreement | Last updated: January 15, 2026 | Effective: February 1, 2026
For the latest version, visit: go2.gg/dpa