Effective Date: March 25, 2025

Last Updated: March 25, 2025

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Subscription Agreement between you (“Organization” or “Data Controller”) and Team Scout Inc. (“Team Scout” or “Data Processor”), a Delaware corporation with its principal place of business at 1916 Pike Place, Seattle, WA 98101. Capitalized terms not defined herein shall have the meanings set forth in the Subscription Agreement or applicable data protection laws.

In the event of a conflict between the terms of this DPA and the Subscription Agreement, this DPA will take precedence.

1. DEFINITIONS

1.1 Definitions:

     •           “Organization Data” means any Personal Data relating to the Organization’s Members that Team Scout processes to provide the Services and that is not Team Scout Data. Organization Data does not include Team Scout Data, even if duplicated.

     •           “Personal Data” means any information relating to an identified or identifiable natural person, or as otherwise defined under applicable Data Protection Legislation.

     •           “Data Protection Legislation” means all applicable laws related to data protection, privacy, and security, including, but not limited to, the EU General Data Protection Regulation (EU GDPR), the UK GDPR, the Swiss Federal Act on Data Protection, the South Korean Personal Information Protection Act (PIPA), and any applicable U.S. state privacy laws (e.g., CCPA, CPRA), as well as related amendments or replacements.

     •           “SCCs” means the EU Commission’s Standard Contractual Clauses (EU SCCs), including any applicable UK Addendum (UK SCCs), and/or Swiss-modified SCCs, for transfers of Personal Data to third countries where required by Data Protection Legislation.

     •           Terms such as “Business,” “data controller,” “data processor,” “service provider,” and “personal data breach” shall have the meanings ascribed by applicable Data Protection Legislation.

2. ROLES AND INSTRUCTIONS

2.1 Roles:

The Organization acts as Data Controller (or equivalent under applicable law) and Team Scout acts as Data Processor (or Service Provider) with respect to the Organization Data.

2.2 Instructions:

Team Scout shall process Organization Data only on the Organization’s documented lawful instructions, as described in the Subscription Agreement and this DPA, unless otherwise required by law.

3. SCOPE OF PROCESSING

3.1 Processing Overview:

Details of the categories of data subjects, types of Personal Data processed, processing activities, and authorized Sub-Processors are set forth in Schedule 1 (Processing Overview). Team Scout shall not process Organization Data for any purpose other than those stated in the Subscription Agreement, this DPA, or as otherwise instructed by the Organization in writing, unless required by law.

4. DATA PROCESSOR OBLIGATIONS

4.1 Compliance with Instructions and Law:

Team Scout will comply with applicable Data Protection Legislation, including EU GDPR, UK GDPR, Swiss data protection law, U.S. state privacy laws, and South Korean PIPA, when processing Organization Data.

4.2 Confidentiality:

Team Scout will ensure that all personnel authorized to process Organization Data are subject to obligations of confidentiality.

4.3 Security Measures:

Team Scout will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures are described in Schedule 2 (Technical and Organizational Measures) and may include pseudonymization, encryption, access controls, regular testing, and backup and recovery procedures.

4.4 Data Subject Rights and Cooperation:

Taking into account the nature of the processing, Team Scout will assist the Organization by appropriate technical and organizational measures, insofar as possible, in responding to data subject requests (e.g., access, rectification, deletion) and ensuring compliance with other obligations (e.g., conducting privacy impact assessments, cooperating with supervisory authorities) under Data Protection Legislation.

4.5 Demonstrating Compliance and Audits:

Upon reasonable request and subject to confidentiality obligations, Team Scout will provide information necessary to demonstrate compliance and allow for audits or inspections (governed by reasonable notice, scope, and frequency).

4.6 Sub-Processors:

Team Scout may engage Sub-Processors to process Organization Data, as listed in Schedule 3 (Sub-Processors). The Organization hereby provides a general authorization for Team Scout to engage Sub-Processors. Team Scout shall remain liable for the actions of its Sub-Processors. The Organization may object to a new Sub-Processor by notifying Team Scout in writing within 10 days of receiving notice of the change. If no resolution can be reached, the Organization may terminate the relevant affected services.

4.7 Breach Notification:

Team Scout will notify the Organization without undue delay upon becoming aware of a personal data breach affecting Organization Data.

4.8 Return or Deletion of Data:

At the end of the Subscription Agreement or upon request, Team Scout will delete or return all Organization Data, except where retention is required by law.

5. INTERNATIONAL DATA TRANSFERS

5.1 Cross-Border Transfers (EU/UK/Switzerland):

If Team Scout processes Personal Data originating from the EU, UK, or Switzerland and transfers it to a third country without an adequate level of protection, Team Scout shall ensure such transfers are made under the SCCs (EU SCCs, UK Addendum, or Swiss modifications) or other approved mechanisms.

5.2 Cross-Border Transfers (South Korea):

If Personal Data originating from South Korea is transferred or accessed outside of South Korea, Team Scout shall ensure compliance with PIPA and any local requirements. This includes obtaining necessary consents from data subjects (if required), ensuring lawful transfer mechanisms, and implementing supplementary measures to maintain a level of protection essentially equivalent to that required under PIPA.

5.3 Data Localization Requirements (South Korea):

Where South Korean law requires certain categories of Personal Data to be stored and processed only on servers located in South Korea, Team Scout shall comply with such requirements. If the Organization instructs Team Scout to store/process Personal Data locally, Team Scout will follow those instructions. If any lawful exceptions apply (e.g., explicit consent for cross-border transfer), the Organization warrants that it has obtained such consent or complied with legal conditions before instructing Team Scout to transfer such data internationally.

5.4 SCCs and Hierarchy:

Where the SCCs are required, they are incorporated by reference. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

6. ORGANIZATION WARRANTIES

6.1 Lawful Basis and Compliance:

The Organization warrants that:

     •           It has obtained all necessary consents and lawful bases for processing Organization Data under applicable Data Protection Legislation, including PIPA for South Korean data subjects.

     •           Its instructions for processing, including cross-border transfers and any data localization directives, comply with applicable law.

6.2 Accuracy and Minimization:

The Organization is responsible for ensuring the accuracy, quality, and lawfulness of Organization Data and that it discloses Organization Data to Team Scout only as necessary for the Services.

7. U.S. STATE PRIVACY LAWS

Where applicable U.S. state privacy laws (e.g., CCPA, CPRA) apply, Schedule 4 outlines additional terms. Team Scout shall not sell or share Personal Data or use it for its own independent purposes outside the direct business relationship, consistent with such laws.

SCHEDULE 1 (PROCESSING OVERVIEW)

Data Subjects:

     •           Organization’s Members: including athletes, parents/legal guardians, coaches, administrators, volunteers, staff.

Categories of Personal Data:

     •           Identification details: Name, date of birth, contact information (email, phone number), address.

     •           Membership and team affiliation details, attendance, performance metrics, competition results.

     •           Sensitive Data: May include health data, emergency contact info, payment information, government IDs, race/ethnicity, gender identity (if provided).

     •           Device/usage data: IP address, device identifiers, login history.

Purposes of Processing:

     •           To provide team management, scheduling, communication, performance tracking, event organization, and related services under the Subscription Agreement.

     •           To comply with legal obligations and ensure security.

Retention:

     •           For the duration of the Subscription Agreement or as instructed by the Organization or required by law.

SCHEDULE 2 (TECHNICAL AND ORGANIZATIONAL MEASURES)

Team Scout implements measures appropriate to the risk, including:

     •           Access controls (authentication, authorization, role-based access).

     •           Encryption of data in transit and at rest where appropriate.

     •           Regular backups and disaster recovery planning.

     •           Regular security assessments, vulnerability scans, and penetration testing.

     •           Physical security measures for data centers.

     •           Employee training on data protection.

     •           Monitoring and logging of system access.

     •           Measures to ensure compliance with PIPA and other local laws, including data localization (e.g., hosting South Korean Personal Data on servers within South Korea if required).

SCHEDULE 3 (SUB-PROCESSORS)

The Organization authorizes the use of the following Sub-Processors. Team Scout shall maintain an up-to-date list of Sub-Processors at [URL or attachment]:

Hosting and Infrastructure Providers:

     •           Amazon Web Services (AWS): Hosting, storage, backup.

     •           Cloudflare: Content delivery and security services.

Communications and Support:

     •           Twilio: SMS and voice communication services.

     •           SendGrid (Twilio): Email delivery services.

Payment Processing:

     •           Stripe: Payment gateway and processor.

Analytics and Logging:

     •           Datadog: Monitoring and analytics tool for infrastructure and application performance.

     •           Google Analytics: Web analytics (if applicable and configured lawfully).

Additional Region-Specific Providers (if needed):

     •           For South Korean data subjects, a local data center provider based in South Korea (e.g., Naver Cloud or KT Cloud) for compliance with localization requirements when instructed by the Organization.

Team Scout will provide advance notice of any intended additions or replacements to Sub-Processors to the Organization, granting the Organization the right to object as set forth in the DPA.

SCHEDULE 4 (U.S. STATE ADDENDUM)

If applicable, Team Scout:

     •           Will not sell or share Personal Data as defined under U.S. state privacy laws.

     •           Will not retain, use, or disclose Personal Data for any purpose other than the business purposes described in this DPA and the Subscription Agreement.

     •           Will assist Organization in fulfilling consumer rights requests as required by law.

By executing the Subscription Agreement referencing this DPA or otherwise indicating acceptance, the Organization and Team Scout agree to be bound by the terms of this DPA, including compliance with EU GDPR, UK GDPR, Swiss law, South Korean PIPA, and other applicable Data Protection Legislation.