Legal & Compliance

Data Processing Agreement (DPA) — AntiScammer
Last Updated: 02/24/2026

This Data Processing Agreement (“DPA”) forms part of the agreement between (1) the party operating a Discord server that uses AntiScammer (the “Controller”) and (2) AntiScammer / AntiScammer Operators (the “Processor”) to the extent AntiScammer processes Personal Data on behalf of the Controller.

1. Definitions
Capitalized terms not defined here have the meaning given in GDPR.

“GDPR” means Regulation (EU) 2016/679.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data (e.g., collection, analysis, storage, disclosure, deletion).
“Controller” means the Discord server owner/admin who determines purposes and means of Processing.
“Processor” means AntiScammer to the extent it processes Personal Data on behalf of the Controller.
“Sub-processor” means a third party engaged by the Processor to process Personal Data.
“Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Roles & Scope
(a) The Controller appoints the Processor to process Personal Data only as necessary to provide AntiScammer’s security and moderation features within the Controller’s Discord server.

(b) The Processor will process Personal Data only on documented instructions from the Controller, as configured through the Controller’s use of AntiScammer (e.g., Allowing the discord bot in the server.).

(c) Separate processing context: This DPA covers processing performed on behalf of the Controller. If AntiScammer operates separate security services (e.g., global investigations, fraud-prevention intelligence), those activities may be governed by AntiScammer’s Privacy Policy and terms as an independent controller, where applicable.
3. Details of Processing
The subject-matter, duration, nature, and purpose of Processing are described below.

3.1 Subject matter
Security and moderation processing within a Discord server, including scam detection, reporting, and enforcement support.

3.2 Duration
Processing occurs during the term the Controller uses AntiScammer. Storage (where applicable) follows the retention rules described in Section 7 and Appendix A.

3.3 Nature and purpose
Real-time analysis of messages for scam/fraud patterns
Flagging suspicious activity for moderator review
Enforcement actions (e.g., automated or assisted bans) based on configured rules
Case creation and investigation where escalated by authorized staff or configured features
3.4 Categories of data subjects
Discord users interacting in the Controller’s server
Server staff members using AntiScammer moderation features
3.5 Categories of Personal Data
Discord user identifiers (User ID), username/display name (snapshot)
Server identifiers (Server/Guild ID)
Message content (only as needed for detection, and stored only if flagged/escalated per configuration)
Timestamps and moderation metadata (e.g., actions taken, reasons, status)
Evidence attachments provided by staff (e.g., images) where applicable
System logs necessary for security and reliability (e.g., error logs, rate-limits)
3.6 Special categories of data
AntiScammer is not intended to process special categories of data under GDPR Article 9. Users may nonetheless post such information in Discord. The Controller is responsible for determining whether to use AntiScammer in contexts that could involve sensitive data.

4. Controller Obligations
The Controller is responsible for providing any notices to server members required under applicable law (including GDPR Articles 13/14).
The Controller is responsible for ensuring it has a lawful basis for processing (e.g., legitimate interests for security and fraud prevention).
5. Processor Obligations
The Processor will:

Process Personal Data only on documented instructions from the Controller and in accordance with this DPA.
Ensure persons authorized to process Personal Data have committed themselves to confidentiality.
Implement appropriate technical and organizational security measures as described in Section 6.
Not sell Personal Data.
Assist the Controller in responding to Data Subject requests as set out in Section 9.
Delete or return Personal Data at the end of the provision of services as set out in Section 7, unless retention is required under applicable law or for security/fraud prevention purposes [EDIT TO MATCH YOUR MODEL].
6. Security Measures (Article 32)
The Processor maintains reasonable security measures appropriate to the risk, which may include:

Restricted access to systems and data (role-based access)
Access limited to authorized operators with a legitimate need
Network and server hardening (firewall rules, patched systems)
Encrypted connections where applicable (TLS/HTTPS)
Logging and monitoring for security events
Backups and disaster recovery controls
7. Retention, Deletion, and Return
7.1 Real-time monitoring
Message content may be analyzed in real time for scam detection. Message content is not permanently stored by the Processor unless flagged and escalated to a security investigation, abuse report, or enforcement case, or otherwise configured by the Controller.

7.2 Escalated cases
Where a message is escalated to an investigation or enforcement case, the Processor may store relevant message content and related metadata as needed for fraud prevention, security investigations, enforcement, and auditability. Retention periods for escalated cases are described in Appendix A.

7.3 Deletion requests
The Processor will delete or anonymize data within a reasonable timeframe upon documented instruction from the Controller, unless retention is required for legal compliance, dispute resolution, or fraud/security prevention.

7.4 Backups
Personal Data may persist in backups for a limited period after deletion until those backups are rotated or overwritten, consistent with the Processor’s backup policy.

8. Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors to support hosting and infrastructure. The Processor will maintain an up-to-date list of Sub-processors below or in Appendix B.

8.1 Current Sub-processors
Hosting Provider: Modora server (EU)
Backup Provider (if separate): Locally ran
Payment prosessor: Patreon
CDN/Image storage: Finland EEA (If applicable)
The Processor will notify the Controller of material changes to Sub-processors by updating this page or providing notice through reasonable means. Changes can also be requested by emailing. [email protected].

9. Assistance with Data Subject Requests
Taking into account the nature of processing, the Processor will assist the Controller by appropriate technical and organizational measures to respond to requests to exercise Data Subject rights (access, deletion, correction, restriction, portability, objection), to the extent applicable.

Requests can be submitted at: [email protected] or via support Discord: https://discord.gg/BVFsE2Z29Q.

10. Security Incident Notification
The Processor will notify the Controller without undue delay after becoming aware of a Security Incident involving Personal Data processed under this DPA and will provide information reasonably required for the Controller to meet breach notification obligations.

11. International Transfers
If Personal Data is transferred outside the EEA/UK, the Processor will implement appropriate safeguards as required by GDPR (e.g., Standard Contractual Clauses), where applicable.

12. Governing Law
This DPA is governed by the laws of the USA, without prejudice to mandatory GDPR provisions.

13. Third-Party Integrations
AntiScammer may receive Personal Data through authorized third-party integrations, including Modora, which provides moderation and security services to Discord servers.

Where such integrations transmit Personal Data to AntiScammer for fraud detection, enforcement, or investigation purposes, AntiScammer processes that data in accordance with this DPA and its Privacy Policy.

Depending on the configuration and purpose of processing, AntiScammer and the integration provider may act as independent Data Controllers for fraud prevention and platform security.

Appendix A — Processing Details & Retention
Real-time scanning: Not stored permanently unless escalated.

Flagged moderation review channel: Content may be posted to a designated Discord channel; retention is controlled by Discord and server configuration.

Escalated cases retention
Open investigations: Stored until case closure. See Dismissed cases or Confirmed cases
Confirmed scam cases: Retained up to 20 years and/or users account was found deleted.
False positive / dismissed cases: flag is used to rework detection w/o training nor copying message. Then after 3 months is automatically deleted
Appeals records: Stored with confirmed scam cases up to 20 years.
Access controls
Authorized operators: Ram2 , Ditiskevin
Access method: Direct server access
Audit logging: Access is restricted via IP whitelist
Appendix B — Sub-processors List
List of current Sub-processors used to provide the service.

Hosting Provider: Pebblehost, Texas - USA
Backup Provider (if separate): Locally ran
Payment prosessor: Patreon
CDN/Image storage: Finland (EEA), if applicable
Contact: For DPA questions, contact [email protected].