Privacy and compliance

This page covers data ownership, privacy practices, GDPR compliance, security certifications, and platform-specific privacy requirements for Heroic Cloud.

Overview #

Heroic Labs is committed to data privacy and security. You own your data at all times. Heroic Labs doesn’t mine, analyze, or monetize your data in any way. The platform collects only the minimum personally identifiable information (PII) needed to operate Heroic Cloud itself.

Data ownership #

All data stored in Heroic Cloud belongs to you. Heroic Labs doesn’t claim ownership of any customer data, including player data, game data, or configuration data.

Export your data at any time. Database exports are partially automated through the dashboard’s Data Export feature (see Data exporting). For data not covered by the self-service export, contact Heroic Labs (support@heroiclabs.com) for an on-demand export.

No data mining #

Heroic Labs doesn’t perform any data mining on customer data. Your game data, player data, and usage patterns are never analyzed, aggregated, or sold. Data is stored and processed solely to provide the Heroic Cloud service.

PII and in-game data #

Heroic Cloud collects PII only for platform functionality: account registration, billing, and team management. This includes names, email addresses, and payment details.

The game studio decides what in-game data to store, how to structure it, and what to collect from players. Heroic Labs provides the infrastructure and storage, but the studio controls what data enters the system through their Nakama server code.

Data security #

Encryption at rest #

All data stored in Heroic Cloud is encrypted at rest at all times. This includes database contents and backups. Disk-level encryption is always enabled.

Encryption in transit #

All connections to Heroic Cloud use TLS 1.2 or higher. This policy is enforced at all times; older TLS versions aren’t accepted.

GDPR #

Heroic Cloud and Nakama are fully GDPR compliant.

Heroic Labs acts as a data processor. Heroic Labs stores and manages data on the game studio’s behalf but doesn’t determine the purposes or means of processing. The game studio (as data controller) decides what data to send, and Heroic Labs processes only what is sent to power the game. Heroic Labs doesn’t collect, analyze, or process player data beyond what is required to operate the service.

Right to data access #

Players and end users have the right to request a copy of their personal data. Game studios are responsible for implementing data access mechanisms in their game code using Nakama’s storage and user APIs.

Right to erasure (right to be forgotten) #

Players and end users have the right to request deletion of their personal data. Studios are responsible for implementing deletion workflows. Nakama provides APIs for deleting user accounts and associated storage data.

Subprocessors #

Heroic Labs uses a number of subprocessors (third-party services that may process customer data on Heroic Labs’ behalf). Contact Heroic Labs (support@heroiclabs.com) to request the current list of subprocessors.

Data processing agreements #

For detailed information about data processing agreements or to exercise data subject rights at the platform level, contact Heroic Labs (support@heroiclabs.com).

SOC 2 Type II #

Heroic Labs is SOC 2 Type II compliant. This certification validates that Heroic Labs maintains rigorous controls for security, availability, and confidentiality of customer data.

The SOC 2 Type II report is available on request. Contact Heroic Labs (support@heroiclabs.com) to receive a copy.

Vulnerability testing and penetration testing #

Heroic Labs conducts annual external vulnerability assessments and penetration testing by a third-party accredited provider to identify and address security risks. These assessments are part of the SOC 2 compliance program.

Dependency vulnerability management #

Automated tooling detects code dependency vulnerabilities. When a vulnerability is identified, alerts fire automatically and the team resolves it within 30 days of a fix becoming available.

Meta platform requirements #

Heroic Cloud should be treated the same as any public cloud provider—such as AWS, GCP, or Azure—for the purposes of Meta’s platform requirements. Heroic Labs provides managed infrastructure and doesn’t have special access to or processing of player data beyond what any cloud provider would. The game studio controls what data is sent and how it’s used.

When completing Meta privacy questionnaires, refer to Heroic Labs and Heroic Cloud as a cloud provider, as you would reference AWS or GCP.