Data Processing Agreement

Preamble

These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor when processing personal data on behalf of the data controller.

The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

In the context of the provision of the Coachway software platform, the data processor will process personal data on behalf of the data controller in accordance with the Clauses.

The Clauses shall take priority over any similar provisions contained in other agreements between the parties.

Four appendices are attached to the Clauses and form an integral part of the Clauses:

• Appendix A contains details about the processing of personal data, including purpose, nature, types of personal data, categories of data subjects and duration of processing.
• Appendix B contains the data controller’s conditions for the use of sub processors and a list of authorised sub processors.
• Appendix C contains the data controller’s instructions regarding processing, minimum security measures and audit procedures.
• Appendix D contains provisions for other activities not covered by the Clauses.

The Clauses and appendices shall be retained in writing, including electronically, by both parties.

The Clauses do not exempt the data processor from obligations under the GDPR or other applicable legislation.

Rights and Obligations of the Data Controller

The data controller is responsible for ensuring that the processing of personal data complies with the GDPR, applicable EU or Member State data protection law and these Clauses.

The data controller has the right and obligation to determine the purposes and means of the processing of personal data.

The data controller is responsible for ensuring that any processing instructed to the data processor has a valid legal basis.

Instructions to the Data Processor

The data processor shall process personal data only on documented instructions from the data controller unless required by Union or Member State law.

Instructions are specified in Appendices A and C. Additional instructions may be provided during the term of processing and must always be documented in writing.

If the data processor believes that instructions contravene the GDPR or applicable law, it shall immediately inform the data controller.

Confidentiality

The data processor shall ensure that access to personal data is limited to persons under its authority who are bound by confidentiality obligations and only on a need to know basis.

Access rights shall be reviewed periodically and withdrawn where no longer necessary.

Upon request, the data processor shall demonstrate that authorised persons are subject to appropriate confidentiality obligations.

Security of Processing

Taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, appropriate technical and organisational measures shall be implemented to ensure security appropriate to the risk.

Measures may include:

• Pseudonymisation and encryption of personal data
• Ongoing confidentiality, integrity, availability and resilience of systems
• Timely restoration of availability after incidents
• Regular testing and evaluation of security measures

The data processor shall independently assess risks and implement mitigating measures, and assist the data controller in meeting obligations under Article 32 GDPR.

Any additional measures required by the data controller shall be specified in Appendix C.

Use of Sub Processors

The data processor shall not engage sub processors without the data controller’s general written authorisation.

The data processor is authorised to engage sub processors listed in Appendix B and shall notify the data controller at least 30 days in advance of any changes.

Sub processors shall be subject to the same data protection obligations as set out in these Clauses.

The data processor remains fully liable for the performance of sub processors.

Transfers to Third Countries

Transfers of personal data to third countries or international organisations shall occur only on documented instructions from the data controller and in compliance with Chapter V GDPR.

Without documented instructions, the data processor shall not:

• Transfer personal data to third country controllers or processors
• Engage sub processors in third countries
• Process personal data in third countries

Transfer instructions and mechanisms are specified in Appendix C.

These Clauses do not constitute standard contractual clauses under Article 46 GDPR.

Assistance to the Data Controller

The data processor shall assist the data controller in responding to data subject rights requests under Chapter III GDPR, including:

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Automated decision making safeguards

The data processor shall also assist with:

• Personal data breach notifications
• Data protection impact assessments
• Prior consultation with supervisory authorities

Specific assistance measures are defined in Appendix C.

Notification of Personal Data Breaches

The data processor shall notify the data controller without undue delay and where possible within two hours of becoming aware of a personal data breach.

The data processor shall assist in providing required information, including:

• Nature of the breach
• Likely consequences
• Measures taken or proposed

Details are defined in Appendix C.

Erasure and Return of Data

Upon termination of services, the data processor shall return or delete all personal data unless retention is required by law.

Audit and Inspection

The data processor shall make available all information necessary to demonstrate compliance and allow audits by the data controller or appointed auditors.

Audit procedures are defined in Appendix C.

Supervisory authorities shall be granted access upon presentation of proper identification.

Other Terms

The parties may agree additional terms provided they do not conflict with the Clauses or the GDPR.

Commencement and Termination

The Clauses become effective upon signature by both parties.

They apply for the duration of the processing services and may be renegotiated if legal changes require it.

Termination is permitted after deletion or return of personal data.

Appendix A. Information About the Processing

A.1 Purpose

Provision of a software platform enabling online coaching services, including communication, scheduling, data storage and progress tracking.

A.2 Nature of Processing

Hosting, storage, transmission, display, organisation, security monitoring, backups, logging and technical maintenance.

A.3 Types of Personal Data

• Identity and contact data
• Health and body related data
• Communication data
• Financial data (via third party provider)
• Technical usage data

A.4 Categories of Data Subjects

• Clients
• Coaches
• Administrative users

A.5 Duration

Data retained during active relationship and deleted or anonymised within six months of inactivity, subject to legal retention requirements.

Appendix B. Authorised Sub Processors

No sub processors authorised at commencement.

Appendix C. Instructions Pertaining to Processing

C.1 Scope

Provision, operation and maintenance of the platform strictly under documented instructions.

C.2 Security Measures

High level security including encryption, access control, logging, backups, audits and hosting within EU based infrastructure.

C.3 Assistance Measures

Technical support for rights requests, breach handling, audits and recovery.

C.4 Storage and Erasure

Automatic erasure after six months inactivity, accounting data retained for five years.

C.5 Processing Locations

• AWS: EU
• Railway: EU
• Cloudflare EU and USA
• Sentry USA
• Stripe Ireland

C.6 Transfers

Transfers permitted only under valid GDPR mechanisms including EU US Data Privacy Framework.

C.7 and C.8 Audits

Annual inspections with defined scope and responsibilities.

‍