Data Processing Agreement (DPA)
This Data Processing Agreement ("Agreement") is entered into between:
Controller: Your organization, the organization using the sportstudio.app platform
and
Processor: sportstudio.app, Brakenburghstraat 11A, 2023 DS Haarlem, The Netherlands
This Agreement forms part of the Terms of Service between the parties and reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of applicable data protection legislation, including the General Data Protection Regulation (EU 2016/679).
1. Definitions
- Controller: The organization using the application and determining the purposes and means of personal data processing.
- Processor: The platform provider processing data on behalf of the Controller.
- Data Subject: The user (e.g. member, trainer, etc.) whose data is processed.
- Personal Data: Any information relating to an identified or identifiable person.
2. Subject Matter
The Processor will process Personal Data on behalf of the Controller solely to provide access to and functionality of the sportstudio.app platform.
3. Nature and Purpose of Processing
- Purpose: To enable the organization to manage their business and communicate with their users.
- Nature: Collection, storage, retrieval, transmission, and deletion of data.
4. Categories of Data Subjects
- Organization staff and administrators
- Organization members and clients
5. Categories of Personal Data
- First name
- Last name
- Email address
- Timestamps (sign-ups, bookings)
- Participation records
No special categories of data (e.g. health data) are processed unless entered manually by users.
6. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure confidentiality of processing staff
- Implement appropriate technical and organizational measures
- Assist the Controller in fulfilling obligations regarding data subjects' rights
- Delete or return all personal data upon termination of the agreement
- Make information available to demonstrate compliance
7. Subprocessors
The Controller agrees that the Processor may engage the following subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| DigitalOcean | Hosting | Germany (Frankfurt) |
| Laravel Forge | Deployment | Varies |
| Github | Code storage | EU/US |
| Postmark | Transactional email | US (with SCCs) |
| Laravel Nightwatch | Monitoring | EU |
The Processor shall ensure all subprocessors are GDPR-compliant and have signed appropriate DPAs.
8. Data Breaches
The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach.
9. Data Transfers
Any transfer of data outside the EU will comply with GDPR Chapter V (e.g., using Standard Contractual Clauses).
10. Duration
This Agreement remains valid for as long as the Processor processes personal data on behalf of the Controller.
Signed
Controller: ___________________________
Name:
Date:
Processor: ___________________________
Name:
Date: