Data Processing Agreement
Last updated: February 16, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the organization using Peer10 (the “Controller”) and Peer10 (the “Processor”) for the provision of the Peer10 platform (the “Service”). This DPA is designed to meet the requirements of GDPR Article 28 and other applicable data protection laws.
1. Definitions
- “Controller” means the organization that determines the purposes and means of processing personal data through the Service (i.e., the youth sports organization)
- “Processor” means Peer10, which processes personal data on behalf of the Controller
- “Data Subject” means an identified or identifiable individual whose personal data is processed
- “Personal Data” has the meaning given in Article 4(1) of the GDPR
- “Sub-Processor” means a third party engaged by the Processor to process personal data
2. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller for the purpose of providing the Service — a youth sports management platform. Processing begins when the Controller creates an organization account and continues for the duration of the service agreement, plus any retention period required by law or specified in our Privacy Policy.
3. Nature and Purpose of Processing
Personal data is processed to provide platform features including: registration management, roster creation, schedule management, communication delivery, media processing, coaching insights, and organizational analytics. All processing is performed solely on the Controller's documented instructions.
4. Types of Personal Data
| Category | Data Types |
|---|---|
| Account data | Name, email address, role, authentication credentials |
| Player data | Name, date of birth, jersey number, team assignment, skill assessments, health information (if provided) |
| Media data | Photos, game film, AI-generated coaching summaries |
| Usage data | Page views, feature usage, device/browser type, IP address |
| Payment data | Billing information (processed by Stripe; Peer10 stores transaction records only) |
5. Categories of Data Subjects
- Organization administrators (directors, admins)
- Coaches and volunteer staff
- Parents and guardians
- Athletes (including minors under 13, 13–17, and adults 18+)
6. Controller Obligations
The Controller shall:
- Ensure there is a lawful basis for the processing of personal data (e.g., consent, legitimate interest, contractual necessity)
- Ensure the accuracy of personal data provided to the Processor
- Inform data subjects about the processing as required by applicable law
- Obtain verifiable parental consent for children under 13 as required by COPPA and GDPR Article 8
- Not instruct the Processor to process data in a manner that would violate applicable data protection law
7. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Annex 1)
- Engage Sub-Processors only with prior notice and subject to equivalent data protection obligations (see Section 8)
- Assist the Controller in responding to data subject access requests (DSARs) within 10 business days
- Assist the Controller in ensuring compliance with breach notification obligations
- Delete or return all personal data upon termination of the service agreement, at the Controller's choice, within 30 days
- Make available all information necessary to demonstrate compliance and allow for audits
8. Sub-Processors
The Controller provides general authorization for the Processor to engage the Sub-Processors listed in Annex 2. The Processor shall:
- Notify the Controller at least 30 days before adding or replacing a Sub-Processor
- Provide the Controller an opportunity to object within 30 days of notification
- Ensure each Sub-Processor is bound by data protection obligations no less protective than this DPA
- Remain fully liable for Sub-Processor compliance
9. International Data Transfers
Data is stored and processed in the United States. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland:
- We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
- We conduct transfer impact assessments to ensure adequate protection in the destination country
- Supplementary measures include encryption in transit and at rest, access controls, and contractual protections with Sub-Processors
10. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Controller with sufficient information to meet its own breach notification obligations (nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed)
- Cooperate with the Controller in investigating the breach and mitigating its effects
11. Term and Termination
This DPA is effective for the duration of the service agreement. Upon termination:
- The Processor will delete or return all personal data within 30 days, at the Controller's election
- The Processor will certify deletion in writing upon request
- Obligations regarding confidentiality and data protection survive termination
Annex 1: Technical and Organizational Security Measures
- Encryption: TLS 1.3 in transit, AES-256 at rest for all data stores
- Access controls: Role-based access control (RBAC) with principle of least privilege. Row-level security (RLS) at the database layer for tenant isolation
- Authentication: Bcrypt password hashing, MFA support, secure session management with automatic expiry
- Network security: Managed cloud infrastructure with automated security patching, DDoS protection, and web application firewall
- Monitoring: Application and infrastructure monitoring with alerting for anomalous access patterns
- Backups: Automated daily backups with encryption, point-in-time recovery capability
- Incident response: Documented incident response procedures with defined roles, escalation paths, and communication templates
- Employee security: Background checks for personnel with data access, security awareness training, confidentiality agreements
Annex 2: Sub-Processor List
| Provider | Purpose | Data Types | Location |
|---|---|---|---|
| Supabase | Authentication & identity | Email, auth tokens | US (AWS) |
| DigitalOcean | Application hosting & database | All application data | US |
| Stripe | Payment processing | Payment & billing data | US |
| SendGrid (Twilio) | Transactional email | Email addresses, message content | US |
| Anthropic | AI analysis & generation | Anonymized entity data (no PII) | US |
| OpenAI | Text embeddings | Anonymized text data (no PII) | US |
Contact
For questions about this DPA, contact our Data Protection Officer at [email protected].