Data Processing Agreement

The Processor will process Personal Data on behalf of the Controller solely to provide the Services as described in the Agreement. The processing is for the duration of the Agreement unless otherwise agreed in writing.

The Processor processes Personal Data for the following purposes:

• Processing guest registrations and waiver signatures
• Generating and managing digital guest passes
• Verifying guest identity via SMS verification
• Facilitating guest check-ins at club facilities
• Sending transactional communications on behalf of the Controller
• Sending marketing communications (where authorized and consented)
• Generating analytics and reports for the Controller
• Storing waiver documents for liability protection

Personal Data processed under this DPA relates to:

• Guests visiting the Controller's facilities
• Members of the Controller's organization
• Staff and administrators of the Controller

• Process Personal Data only in accordance with the Controller's documented instructions
• Inform the Controller if any instruction infringes applicable Data Protection Laws
• Not process Personal Data for any purpose other than as necessary to provide the Services

• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel who need access to perform the Services
• Not disclose Personal Data to third parties except as permitted by this DPA

Implement and maintain appropriate technical and organizational security measures as described in Section 7 and our Information Security Addendum.

• Assist the Controller in responding to Data Subject requests
• Assist the Controller with data protection impact assessments where required
• Assist the Controller in meeting its obligations under Data Protection Laws
• Provide information necessary to demonstrate compliance with this DPA

The Controller authorizes the Processor to engage the following Sub-Processors for the purposes indicated:

The Processor shall:

• Maintain an up-to-date list of Sub-Processors on this page
• Impose data protection obligations on Sub-Processors no less protective than this DPA
• Remain liable for the acts and omissions of Sub-Processors
• Conduct due diligence on Sub-Processors' data protection practices

We will notify the Controller via email at least 30 days before engaging any new Sub-Processor. If the Controller objects to a new Sub-Processor on reasonable data protection grounds, the Controller may terminate the affected Services by providing written notice within 30 days of our notification.

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest
• Multi-tenant architecture with logical data separation
• Access controls and role-based permissions
• Input validation and sanitization
• Rate limiting and abuse prevention
• Secure password hashing (bcrypt/argon2)
• Regular security updates and patching

• Employee security awareness training
• Access limited to personnel who need it
• Confidentiality agreements for all personnel
• Incident response procedures
• Regular security assessments

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws, including:

• Right to access Personal Data
• Right to rectification of inaccurate data
• Right to erasure (deletion)
• Right to data portability
• Right to object to processing
• Right to restrict processing
• Right to withdraw consent

If the Processor receives a request directly from a Data Subject, the Processor will promptly redirect the request to the Controller unless prohibited by law. The Processor will not respond to Data Subject requests directly except at the Controller's instruction.

The Services provide tools that enable the Controller to access, export, correct, and delete Personal Data. The Controller may use these tools to respond to Data Subject requests without Processor assistance.

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data processed on behalf of the Controller.

Notification will include, to the extent available:

• Description of the nature of the Security Incident
• Categories and approximate number of affected Data Subjects
• Categories and approximate number of affected records
• Name and contact details of the Processor's contact person
• Likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident

Following a Security Incident, the Processor will:

• Take immediate steps to contain and mitigate the incident
• Cooperate with the Controller in investigating the incident
• Preserve evidence for forensic analysis
• Provide reasonable assistance to the Controller in meeting breach notification obligations

Personal Data is primarily processed in the United States. The Processor will not transfer Personal Data to countries outside the United States without appropriate safeguards.

For international transfers, the Processor relies on:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Data Privacy Framework certification where applicable
• Other lawful transfer mechanisms as required by applicable law

Upon reasonable written request (no more than once per year), the Processor will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits and inspections.

Audits are subject to:

• At least 30 days advance written notice
• Reasonable scope and timing agreed by both parties
• Execution of appropriate confidentiality agreements
• Controller bearing the costs of the audit
• Minimal disruption to Processor operations

The Processor may satisfy audit requests by providing copies of relevant third-party certifications, audit reports (e.g., SOC 2), or other evidence of compliance, at the Processor's discretion.

The Controller may delete Personal Data at any time using the tools provided in the Services. Deleted data may be retained in backups for a limited period consistent with our retention policies.

Upon termination of the Agreement, the Processor will:

• At the Controller's request, export Personal Data in a standard format
• Delete Personal Data within 30 days of termination or export request
• Certify deletion in writing upon Controller's request
• Instruct Sub-Processors to delete Personal Data

The Processor may retain Personal Data as required by applicable law, including retention of waiver records for liability protection purposes. Any retained data will continue to be protected in accordance with this DPA.