Our Commitment to Privacy and Security
We live in the age of data. Our customers are both gamers and games. Gamers want transparency and to know their data is safe. Games want to know, as a partner, that we are taking care of the complexities so they can focus on building. Our customers can rest assured that we have built our core products, such as Passport and Audience, upon a 'privacy by design' framework, with compliance and security front of mind.
Built for GDPR
Core components of our Privacy Framework include:
Privacy
Policy
Our Privacy Policy is our public promise to users. It clearly sets out how and why we collect, process, store and use information, ensuring total transparency for your community.
We Know
our Data Flows
You can't protect what you can't see. We closely map how personal information moves through our ecosystem, in particular for core products such as Passport and Audience to ensure we identify risks early and only hold the data we need.
Vetted
sub-processors
We are only as strong as our partners. We strictly vet our key third-party vendors to ensure they meet our high security standards before they touch user data.
Response
Readiness
We have plans in place to ensure that in the unlikely event of an incident, our response is rapid, contained, and transparent.
Transparent
Collection Statement
Our Collection Statement makes it clear to users at the point of sign-in and account creation who Immutable is, to give them clarity on who they are entrusting their personal information to.
Clear
Roles Outlined
Our commercial agreements clearly define where we act as a "Processor" (working for you) versus a "Controller" (platform level), as defined under the GDPR, giving you legal certainty and protecting you from unnecessary liability.
Snapshot of Key Controls
Enterprise-grade infrastructure
We leverage world-class, certified cloud infrastructure providers (AWS) to host our services. Our architecture is designed with defence-in-depth principles, prioritising high-availability and redundancy.
Data encryption
We take the security of our user’s information seriously. Sensitive data is encrypted at rest and in transit using industry standard secure protocols, ensuring that data remains protected whether it is sitting in our database or moving across the network.
Incident response & transparency
In the unlikely event of a security incident, Immutable has a tested response protocol in place. We are committed to transparency and complying with all regulatory reporting requirements.
Principle of least privilege
We limit access to personal data within our company. Access is granted on a "need-to-know" basis only , and we utilise strong authentication methods to prevent unauthorised access. We also provide processes to enable users to manage, export, or delete their personal data, supporting the data subjects rights central to the GDPR framework.
Proactive threat monitoring
Our security operations center operates 24/7, utilising automated intrusion detection systems and real-time threat intelligence to identify potential vulnerabilities before they can impact our ecosystem.
Partner risk management
We conduct rigorous security reviews on third-party vendors and sub-processors handling data. All partners must meet our security requirements to ensure data is protected throughout the entire chain of custody.
Security research & bug reporting
Found a vulnerability? We value the contributions of the security community. Please report potential security issues via our bug bounty programs at Bugcrowd or Immunefi, or get in touch with security@immutable.com so we can investigate and resolve them quickly.
Have Questions?
To exercise your data rights or for other support, please reach out to our team via support@immutable.com.
*This page provides an overview of Immutable’s security posture and compliance approach. While we adhere to strict internal controls and industry best practices, this information does not constitute legal advice. Customers are responsible for their own compliance obligations when using our services.
