Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CoachOpt AB ("Processor") and the customer organization ("Controller") and applies to the processing of personal data on behalf of the Controller. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to personal data processing.

Processor contact details
CoachOpt AB, Org. nr: 559429-9207
Stubbåkersvägen 21, Storvreta 74334, Sweden

1. Scope and Definitions

The Controller determines the purposes and means of processing. The Processor processes personal data only on documented instructions from the Controller, in accordance with GDPR Article 28. For the purposes of this DPA, the Controller's documented instructions include the Terms of Service, this DPA, and the Controller's configuration and use of the Service. The Processor shall inform the Controller if an instruction violates applicable law. The Controller remains responsible for determining the purposes and means of processing personal data under this DPA. Nothing in this DPA transfers controller responsibilities to the Processor except as required by applicable law.

2. Processing Details

Processing is limited to providing the CoachOpt Service, including team management, reporting, analytics, notifications, and support.

3. Processor Obligations

• Process personal data only on documented instructions from the Controller.
• Ensure confidentiality of persons authorized to process personal data.
• Ensure that persons authorized to process personal data are subject to confidentiality obligations and receive appropriate data protection training.
• Implement appropriate technical and organizational security measures appropriate to the risk, including access controls, encryption in transit, logging, and environmental separation. A description of current measures is available upon reasonable request.
• Assist the Controller with data subject requests and GDPR compliance.
• Assist the Controller, taking into account the nature of the processing and the information available to the Processor, with data protection impact assessments (DPIAs) and consultations with supervisory authorities where required.
• Notify the Controller of personal data breaches without undue delay.
• Delete or return personal data upon termination, unless retention is required by law.
• Make available information necessary to demonstrate compliance.

4. Sub-processors

The Controller authorizes the Processor to engage sub-processors for the delivery of the Service. The Processor will impose equivalent data protection obligations on sub-processors and will notify the Controller of material changes at least 30 days in advance. The Controller may object on reasonable data protection grounds within that 30-day period.

5. International Transfers

Data is primarily processed within the EU/EEA. If transfers outside the EEA occur, the Processor will rely on appropriate safeguards such as Standard Contractual Clauses (SCCs).

6. Audits

The Controller may request reasonable documentation or audits to verify compliance. Audits shall be limited to once per year unless required by a supervisory authority, conducted during normal business hours, and subject to reasonable confidentiality and security restrictions. Audits must not unreasonably interfere with the Processor's operations. Each party shall bear its own costs for an audit unless the audit demonstrates a material breach of this DPA by the Processor.

Annex 1 - Processing Details

• Categories of data subjects: athletes/players, coaches, admins, organization owners.
• Categories of personal data: account details, team membership, training data, reports, performance metrics, usage and technical logs.
• Special categories: special categories of personal data may include health-related data, including wellness, recovery, injury, and similar data, where processed on the Controller's instructions.
• Purpose: provision of the Service, support, security, and compliance.

Annex 2 - Sub-processors (Summary)

Provider	Purpose	Region
Amazon Web Services (EC2, RDS)	Hosting and database infrastructure	EU (eu-north-1, Sweden)
Google Workspace (Gmail)	Email delivery (invitations, system emails)	EU/Global
No other sub-processors currently in use.