DATA PROCESSING AGREEMENT
iSPORTZ, INC.
DATA PROCESSING AGREEMENT
United States Only — Effective April 14, 2022 | Last Updated: February 1, 2026
Governing Framework: COPPA · CCPA/CPRA · US State Privacy Laws · FTC Act · PCI-DSS · Florida Law
✔ SCOPE: This DPA governs iSportz’s processing of Organization Data exclusively within the United States. iSportz, Inc. currently conducts business only in the United States. This DPA governs US-based data processing only. If iSportz expands to serve organizations outside the United States in the future, this DPA will be supplemented accordingly.
This Data Processing Agreement (“DPA”) is entered into between the Organization identified in the Master Service Agreement (“MSA”) (the “Organization,” “Controller,” or “Business”) and iSportz, Inc., a Delaware corporation, 956 International Pkwy, Ste. 1590, Lake Mary, FL 32746 (“iSportz,” “Processor,” or “Service Provider”). This DPA governs iSportz’s processing of Organization Data on behalf of the Organization in connection with the iSportz Services described in the MSA.
In the event of conflict between this DPA and the MSA, this DPA prevails on all matters relating to data processing and privacy. In all other respects, the MSA governs. Defined terms not otherwise defined herein have the meanings given in the MSA. By accepting the MSA, the Organization simultaneously accepts this DPA in full without any separate execution being required.
1. DEFINITIONS
“Business” means the Organization acting as the entity that determines the purposes and means of processing Organization Data, as that term is defined under the CCPA/CPRA.
“CCPA/CPRA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act of 2020, together with all regulations and guidance issued by the California Privacy Protection Agency (CPPA).
“Child User” means any individual under the age of thirteen (13) in the United States, as defined under COPPA. All Personal Data relating to Child Users entered into the iSportz Platform is submitted exclusively by a parent, legal guardian, or authorized adult Administrator — never directly by the child.
“Consumer Rights Request” means any request by or on behalf of a consumer to exercise rights under applicable US State Privacy Laws, including rights to know, access, delete, correct, opt-out of sale or sharing, limit use of sensitive personal information, or non-discrimination.
“Controller” means the Organization — the entity that determines the purposes and means of processing Organization Data.
“COPPA” means the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506, and the COPPA Rule, 16 C.F.R. Part 312, as administered and enforced by the Federal Trade Commission (FTC).
“Data Protection Legislation” means all applicable US federal and state laws relating to data protection, privacy, and security, including: (a) COPPA and the COPPA Rule; (b) CCPA/CPRA; (c) Colorado Privacy Act (CPA); (d) Virginia Consumer Data Protection Act (VCDPA); (e) Connecticut Data Privacy Act (CTDPA); (f) Texas Data Privacy and Security Act (TDPSA); (g) Florida Digital Bill of Rights (FDBR); (h) FTC Act Section 5 (unfair or deceptive practices); (i) PCI-DSS for payment card data; (j) applicable state breach notification laws; and (k) all other applicable federal, state, or local US data protection laws enacted after the date of this DPA, in each case as amended from time to time.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates, including Organization Members and, where applicable, their parents or legal guardians.
“Florida Digital Bill of Rights (FDBR)” means the Florida Digital Bill of Rights, Fla. Stat. § 501.701 et seq., effective July 1, 2024, which applies to controllers that process personal data of Florida residents.
“Organization Data” means any Personal Data relating to the Organization’s Members that iSportz processes as Processor in connection with providing the iSportz Services, and that is not iSportz Data.
“Personal Data” / “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable Data Protection Legislation. Includes “personal information” as defined under COPPA (information collected online from children under 13) and under CCPA/CPRA.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Organization Data processed by iSportz.
“Processor” / “Service Provider” means iSportz — the entity that processes Organization Data on behalf of the Organization. The term “Service Provider” is used in the CCPA/CPRA context; “Processor” is used in other US State law contexts. Both terms refer to iSportz acting on the Organization’s behalf.
“Sensitive Personal Information (SPI)” means, under CCPA/CPRA (Cal. Civ. Code § 1798.140(ae)): Social Security numbers; driver’s license, state ID, or passport numbers; financial account credentials; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of communications; genetic data; biometric data used to identify an individual; health, sex life, or sexual orientation data. Under other State laws, equivalent categories of sensitive data as defined therein.
“Sub-Processor” means any US-based third party engaged by iSportz to process Organization Data on iSportz’s behalf in connection with providing the iSportz Services.
2. APPOINTMENT AND PROCESSING INSTRUCTIONS
2.1 Processor Appointment
The Organization appoints iSportz as its Processor and Service Provider to process Organization Data solely in accordance with: (a) this DPA; (b) the MSA and any applicable Pricing Agreement or Statement of Work; and (c) the Organization’s documented instructions as provided from time to time. iSportz accepts this appointment and agrees to process Organization Data only in accordance with such instructions, consistent with the Service Provider obligations under CCPA/CPRA and equivalent State laws.
2.2 Documented Instructions and Limitations
The Organization’s primary instructions to iSportz are set out in this DPA and the MSA. iSportz shall not process Organization Data: (a) for any purpose other than providing the iSportz Services; (b) for iSportz’s own commercial advantage or benefit; (c) to build products or services that compete with the Organization; or (d) in a manner inconsistent with applicable Data Protection Legislation. If iSportz determines that any instruction from the Organization would violate applicable Data Protection Legislation, iSportz shall promptly notify the Organization in writing.
2.3 No Sale or Sharing
iSportz shall not sell, share (as those terms are defined under CCPA/CPRA), rent, or otherwise disclose Organization Data to any third party for monetary or other valuable consideration, or for cross-context behavioral advertising. iSportz shall not combine Organization Data with Personal Data from iSportz’s own interactions with consumers or from other sources, except as strictly necessary to provide the iSportz Services as specified in this DPA and the MSA.
2.4 Notification of Changed Ability
iSportz shall promptly notify the Organization if iSportz determines that it can no longer meet its obligations under this DPA or applicable Data Protection Legislation. Upon such notification, the Organization may: (a) direct iSportz to cease further processing of Organization Data; (b) terminate the MSA in accordance with its termination provisions; or (c) take other appropriate steps to ensure lawful processing.
3. iSPORTZ SERVICE PROVIDER / PROCESSOR OBLIGATIONS
3.1 Confidentiality
iSportz shall ensure that all personnel authorized to access or process Organization Data are: (a) subject to binding written confidentiality obligations (contractual or statutory); (b) trained on applicable data protection requirements and COPPA obligations at onboarding and annually thereafter; and (c) granted access to Organization Data only to the extent necessary for their specific role in providing the iSportz Services. Personnel access shall be revoked immediately upon termination of employment or change of role.
3.2 Technical and Organizational Security Measures
iSportz shall implement and maintain the technical and organizational security measures described in Schedule 2 of this DPA. These measures are appropriate to the risks presented by iSportz’s processing activities, taking into account the nature, scope, context, and purposes of processing, the sensitivity of the data (including Child User data), and the state of currently available technology. iSportz shall review and, where necessary, update these measures at least annually.
3.3 Assistance with Compliance
Taking into account the nature of iSportz’s processing and the information available to iSportz, iSportz shall provide the Organization with reasonable assistance to:
- Respond to Consumer Rights Requests under applicable US State Privacy Laws within the timeframes specified in Section 6 of this DPA;
- Respond to verified parental rights requests under COPPA within the timeframes specified in Section 5 of this DPA;
- Conduct privacy impact assessments where required by applicable law;
- Implement and maintain appropriate security measures and respond to Personal Data Breaches in accordance with Section 4 of this DPA; and
- Demonstrate compliance with applicable Data Protection Legislation to the Organization, regulatory authorities, and in any audit or investigation.
3.4 Audit and Oversight Rights
iSportz shall make available to the Organization all information reasonably necessary to demonstrate compliance with this DPA. Upon written request (with at least thirty (30) days’ advance notice, reduced to five (5) business days in the event of a suspected breach or active regulatory inquiry), iSportz shall permit and cooperate with compliance reviews or audits of its data processing activities by the Organization or a mutually agreed independent auditor, subject to:
- Execution of a confidentiality agreement covering any iSportz proprietary or third-party information reviewed;
- Audits conducted during normal business hours with minimal disruption to iSportz operations;
- The Organization bearing all audit costs, except where an audit reveals a material breach of this DPA by iSportz, in which case iSportz shall bear reasonable audit costs; and
- Audits limited in scope to iSportz’s processing of Organization Data and not extending to other customers’ data.
In lieu of an on-site audit, iSportz may satisfy this obligation by providing completed security questionnaires, third-party audit reports (e.g., AWS SOC 2 reports covering the infrastructure layer), or written certifications of compliance with specific DPA provisions.
3.5 FTC and Regulatory Cooperation
iSportz shall cooperate with the FTC (for COPPA matters), applicable State Attorneys General, and any other US regulatory authority with jurisdiction over the processing of Organization Data, as required by applicable law. iSportz shall promptly notify the Organization (within 5 business days) of any regulatory inquiry, investigation, or enforcement action relating to the processing of Organization Data, to the extent permitted by law.
4. PERSONAL DATA BREACH NOTIFICATION AND RESPONSE
4.1 Discovery and Assessment
iSportz shall maintain procedures to detect, assess, and contain Personal Data Breaches. Upon discovering or being notified of a potential breach, iSportz shall: (a) immediately assess whether a breach has occurred and its scope; (b) take steps to contain and mitigate the breach; and (c) preserve evidence for investigation.
4.2 Notification to Organization
In the event of a confirmed Personal Data Breach affecting Organization Data, iSportz shall notify the Organization without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. Notification shall be made to the Organization’s designated contact via email. Where complete information is not available within 72 hours, iSportz shall provide initial notification promptly and supplement with additional information as it becomes available. Breach notification shall include:
- A description of the nature of the breach, including the categories and approximate number of individuals affected and the approximate quantity of records involved;
- The contact details of iSportz’s privacy contact (privacy@isportz.co);
- The likely consequences of the breach as known at the time of notification;
- Whether the breach involved Child User data (which triggers the enhanced COPPA notification procedure in Section 4.3); and
- The measures taken or proposed by iSportz to address the breach and mitigate adverse effects.
4.3 COPPA-Specific Breach Notification
⚠ COPPA PRIORITY: Any breach involving Child User data (Personal Data of children under 13) is treated as the highest severity incident and triggers a reduced 48-hour notification window.
Where a Personal Data Breach involves or potentially involves Child User data, iSportz shall:
- Notify the Organization within forty-eight (48) hours of becoming aware of the breach (not 72 hours);
- Immediately isolate and preserve affected Child User data pending investigation;
- Assess whether the breach constitutes a “data security event” requiring notification to the FTC or applicable State AG;
- Cooperate fully with any law enforcement, FTC, or regulatory investigation; and
- Provide the Organization with a written incident report within thirty (30) days of resolution, including root cause analysis, scope of exposure, and remediation steps.
4.4 State Breach Notification Laws
The Organization is responsible for notifying affected individuals and applicable State regulators as required by State breach notification laws, including the Florida Information Protection Act (Fla. Stat. § 501.171), California Civil Code § 1798.82, and equivalent laws in all States where affected individuals reside. iSportz shall provide the Organization with all information necessary to comply with these notification obligations within the timeframes imposed by applicable law. Key State notification deadlines include:
4.5 Post-Breach Remediation
Following any Personal Data Breach, iSportz shall: (a) conduct a root cause analysis; (b) implement remediation measures to prevent recurrence; (c) cooperate with any forensic investigation commissioned by the Organization or regulatory authority at Organization’s cost (unless the breach resulted from iSportz’s negligence or misconduct); and (d) provide the Organization with a written post-incident report within thirty (30) days of breach resolution.
5. CHILD DATA, COPPA, AND ORGANIZATIONAL RESPONSIBILITY
5.1 The Fundamental Structure: iSportz Is a Tool, Organizations Are Operators
iSportz is a sports management technology platform. It does not independently determine what data to collect about child athletes. It does not solicit information from children or their families. It does not set data collection policies. It stores, displays, and processes only the data that Organizations enter and configure. The Organization — the sports club, league, team, or federation using iSportz — is the entity with its own data governance policies, its own direct relationship with child athletes and families, and its own legal responsibilities under applicable law.
✔ COPPA STRUCTURE UNDER THIS DPA: ORGANIZATION = COPPA Operator. Has its own data collection policies. Has the direct relationship with child athletes and families. Is responsible for parental notice, verifiable parental consent, and all COPPA operator obligations. iSportz = Sports Management Tool / Service Provider. Processes child data only as the Organization instructs and configures. Does not direct its services to children. Does not collect data directly from children. Does not set the Organization’s data collection policies.
COPPA (15 U.S.C. §§ 6501–6506) applies to operators of online services directed to children under 13, or operators with actual knowledge they are collecting personal information directly from children under 13. iSportz is neither. iSportz is directed to adult sports administrators. Because iSportz processes child data only as a service provider acting on Organizations’ instructions, and because the FTC recognizes the operator / service provider distinction, the COPPA compliance obligations in this Section 5 are allocated accordingly.
5.2 Organization’s Representations and Warranties as COPPA Operator
⚠ DPA CONDITION: iSportz processes child data under this DPA only because and to the extent the Organization has satisfied its own COPPA obligations. The following are the Organization’s representations and warranties to iSportz — not the other way around. Breach of any of these warranties by the Organization constitutes a material breach of this DPA and the MSA.
By accepting this DPA and submitting child athlete data to iSportz, the Organization represents and warrants that:
- Own Privacy Policy. The Organization has and maintains its own COPPA-compliant privacy policy covering its data collection practices, including disclosure of iSportz as a service provider that processes child data on its behalf. The Organization’s privacy policy — not iSportz’s Children’s Privacy Policy — is the Organization’s primary COPPA operator notice. iSportz’s Children’s Privacy Policy at https://isportz.co/legal-COPPA may be referenced as a supplement describing the service provider’s handling.
- Own Consent Process. The Organization has established its own process for obtaining verifiable parental consent — independent of iSportz — before any child athlete’s personal information is entered into the iSportz Platform. This consent process is the Organization’s responsibility. iSportz does not and cannot obtain parental consent on the Organization’s behalf.
- Own Parental Notice. The Organization has provided direct notice to parents of child athletes describing what personal information is collected, how it is used, that iSportz processes it as a service provider, and how parents can exercise their rights by contacting the Organization.
- Consent Records. The Organization maintains records of all verifiable parental consents obtained, including the method, date, and identity of the consenting parent or guardian, and will make those records available upon request from iSportz or a regulatory authority.
- Data Minimization. The Organization will submit to iSportz only personal information about child athletes that is necessary for sports management purposes and for which it has parental consent. The Organization will not submit sensitive personal data about children (health records, government IDs, biometric data) without specific parental consent for that data category.
- Adult-Controlled Entry. The Organization controls its own registration systems and access to iSportz. It ensures that all child athlete data entered into iSportz is entered by an authorized adult — a parent, guardian, or adult Administrator — not by the child directly. The Organization configures its own registration portal and access controls to enforce this; iSportz implements the access structure the Organization creates.
- Parent Rights Handling. The Organization handles all parental rights requests (review, correction, deletion, consent withdrawal) as the first point of contact. Parents contact the Organization. Where a request requires action within the iSportz Platform, the Organization’s Administrator acts directly using the Platform’s tools, or forwards the request to iSportz at support@iSportz.co (subject: “COPPA — Child Data Request”) and iSportz will process it within thirty (30) days.
- Regulatory Notification. The Organization will notify iSportz within five (5) business days of any FTC, State AG, or other regulatory inquiry, investigation, or enforcement action relating to child athlete data processed through the iSportz Platform.
5.3 iSportz Platform-Level Commitments for Child Data
iSportz is a tool — it processes what Organizations configure and enter, nothing more. The following commitments apply at the platform level to all child athlete data processed through iSportz, regardless of which Organization submitted it. These commitments reflect iSportz’s tool role and protect against iSportz ever being characterized as a COPPA co-operator by the FTC:
- No Direct Collection. iSportz does not and will not present registration, data entry, or profile creation screens directly to children under 13. The Platform is designed for adult administrators. All child athlete data is entered by parents, guardians, or adult Administrators.
- No Advertising Use. iSportz will not use child athlete data for advertising, behavioral profiling, interest-based advertising, or any commercial purpose unrelated to providing the iSportz Services to the Organization that submitted the data.
- No Sale or Sharing. iSportz will not sell or share child athlete data with any third party for monetary consideration or for behavioral advertising purposes.
- Purpose Limitation. iSportz processes child data only for sports management purposes within the iSportz Services, as directed by the Organization. iSportz does not use child data for any purpose the Organization has not authorized.
- No Independent Public Disclosure. iSportz will not make child athlete data publicly accessible without the Organization’s explicit authorization.
- Deletion on Instruction. Upon receiving a forwarded parental deletion request from the Organization at support@iSportz.co, iSportz will delete the specified child’s Personal Data from active systems within thirty (30) days and from backup systems within ninety (90) days, and provide written deletion confirmation.
- Sub-Processor Restrictions. iSportz will contractually prohibit all sub-processors from using child athlete data for advertising or any purpose beyond providing the iSportz Services.
- iSportz maintains security measures appropriate to child data sensitivity, including encryption in transit and at rest consistent with its AWS infrastructure configuration.
- Breach Notification. iSportz will notify the Organization within forty-eight (48) hours of becoming aware of any breach involving child athlete data so the Organization can fulfill its notification obligations to parents and regulatory authorities.
5.4 iSportz’s No-Knowledge Protection
Under the COPPA Rule, a service provider that receives actual knowledge that a first-party operator’s service is directed to children may itself become a co-operator subject to direct COPPA obligations. iSportz manages this risk through the following structural features of the Platform and this DPA:
- iSportz’s Platform is directed to adult sports administrators. The Platform’s interface, marketing materials, and terms of service are aimed at Organizations and adult users.
- iSportz does not present data collection interfaces to children. Children do not interact directly with iSportz’s Platform to enter their own information.
- The Organization, by accepting this DPA, represents that it has obtained parental consent through its own processes before submitting child data. iSportz relies on this representation.
- iSportz maintains the platform-level restrictions in Section 5.3, ensuring that even if an Organization were to submit child data without adequate consent, iSportz would not use that data for advertising or other prohibited purposes.
FTC STANDARD: A third-party service provider acquires “actual knowledge” — and becomes subject to direct COPPA obligations — when the child-directed operator directly communicates the child-directed nature of its service to the service provider (FTC COPPA Rule FAQ 39). The structure of this DPA and the Platform is designed to ensure iSportz remains a neutral tool, not a co-operator.
5.5 Organization Indemnification for COPPA Compliance Failures
The Organization agrees to defend, indemnify, and hold harmless iSportz and the iSportz Parties from and against any claims, demands, actions, fines, penalties, losses, liabilities, damages, costs, and expenses (including attorneys’ fees) arising from: (a) the Organization’s failure to maintain its own COPPA-compliant privacy policy; (b) the Organization’s failure to establish and run its own verifiable parental consent process before entering child data into iSportz; (c) the Organization’s failure to provide required direct parental notice; (d) the Organization’s failure to maintain consent records; (e) the Organization’s failure to respond to parental rights requests; (f) the Organization’s misconfiguration of the iSportz Platform or its own registration systems in a manner that results in unauthorized collection or processing of child data; (g) any FTC or State enforcement action arising from the Organization’s own data collection policies, practices, or consent failures; or (h) any claim by a parent arising from the Organization’s role as COPPA operator.
⚠ CLEAR ALLOCATION: iSportz is a tool. The Organization sets the data collection policies, runs the consent process, and owns the parent relationship. If the Organization’s COPPA compliance fails — wrong consent method, missing privacy notice, inadequate parental rights procedure — that is the Organization’s liability. iSportz’s liability under this DPA is limited to its own platform-level commitments in Section 5.3.
5.6 Categories of Child Data iSportz May Process (As Submitted by Organization)
For transparency, the following categories of child athlete data may be stored in iSportz depending on what the Organization enters and configures. iSportz processes only what the Organization submits:
Name, date of birth, gender: Entered by parent/guardian or adult Administrator for roster and eligibility purposes.
Team assignment, jersey number: Entered by adult Administrator for team management.
Athletic performance data, statistics, attendance: Entered by coach or adult Administrator for coaching and reporting.
Parent/guardian contact information (not child’s): Entered by parent/guardian for communications about the child’s participation.
Competition results, scheduling: Entered by adult Administrator for event management.
Profile photo (if uploaded): Uploaded by parent/guardian or adult Administrator for roster identification. Deleted on parental request.
Device/IP data: Collected automatically from the adult device used to access the Platform. Not collected from the child’s device.
NOTE: iSportz does NOT collect device identifiers, IP addresses, or any persistent identifiers directly from the child’s device. Any session or device data is collected from the adult’s device when they access the Platform to manage the child’s account.
6. CONSUMER RIGHTS REQUESTS (US STATE PRIVACY LAWS)
6.1 Scope
This Section 6 governs iSportz’s obligations with respect to Consumer Rights Requests under CCPA/CPRA and other applicable US State Privacy Laws. For COPPA parental rights requests, see Section 5.5 above.
6.2 Forwarding Requests to Organization
Where iSportz receives a Consumer Rights Request directly from a California resident or resident of another applicable State regarding Organization Data, iSportz shall:
- Acknowledge receipt to the requesting consumer within ten (10) business days;
- Forward the request to the Organization within five (5) business days;
- Not respond to the consumer regarding the substance of their request without the Organization’s prior written authorization;
- Provide the Organization with all information reasonably required to respond to the request; and
- Assist the Organization in fulfilling the request within the applicable timeframe below.
6.3 Response Timeframes by Law
6.4 Identity Verification
Before assisting with a Consumer Rights Request, iSportz may require the Organization to confirm that the identity of the requesting consumer has been verified using a commercially reasonable verification method appropriate to the sensitivity of the data and the type of request. iSportz shall not be obligated to assist with a request until the Organization confirms verification. Verification requirements shall not be so burdensome as to effectively deny consumers the ability to exercise their rights.
6.5 Right to Non-Discrimination
Neither iSportz nor the Organization shall deny, charge different prices for, or provide different quality of service to any consumer for exercising a Consumer Right, except to the extent that such difference in price or service is reasonably related to the value provided by the consumer’s data and is otherwise permitted by applicable Data Protection Legislation.
6.6 CCPA/CPRA — iSportz as Service Provider
iSportz certifies that it understands and will comply with its obligations as a Service Provider under the CCPA/CPRA. iSportz shall not process Organization Personal Data in a manner that constitutes a “sale” or “sharing” as those terms are defined in the CCPA/CPRA. The Organization’s disclosure of Organization Data to iSportz for the purposes of the iSportz Services does not constitute a “sale” or “sharing” of personal information under the CCPA/CPRA, provided that iSportz processes such data only in accordance with this DPA.
6.7 Sensitive Personal Information Limitations (CPRA)
iSportz shall use Sensitive Personal Information (SPI) of California residents only for the following permitted purposes: (a) providing the iSportz Services as specified in this DPA and the MSA; (b) detecting security incidents and protecting against fraud; (c) short-term transient use; (d) performing services on behalf of the Organization; and (e) ensuring safety and integrity. iSportz shall not use SPI to infer characteristics about consumers, for advertising, or for any purpose not specified above. The Organization may instruct iSportz to limit or cease processing of SPI at any time by written notice, and iSportz shall comply within a commercially reasonable time not to exceed thirty (30) days.
7. SUB-PROCESSORS
7.1 General Authorization
By accepting the MSA (which incorporates this DPA), the Organization grants iSportz general written authorization to engage the Sub-Processors listed in Schedule 3 of this DPA to process Organization Data in connection with providing the iSportz Services. iSportz shall impose data protection obligations on all Sub-Processors that are equivalent to those set out in this DPA and shall remain fully liable to the Organization for the performance of Sub-Processors’ obligations under this DPA.
7.2 Sub-Processor Changes — 30-Day Advance Notice
iSportz shall notify the Organization at least thirty (30) days in advance of adding or replacing any Sub-Processor by updating Schedule 3 and notifying the Organization via email to the Organization’s registered contact address or via Platform notification. The Organization may object to a new or replacement Sub-Processor within thirty (30) days by written notice to privacy@isportz.co specifying the specific data protection grounds for the objection. If the objection cannot be resolved within a further thirty (30) days, the Organization may terminate the affected Services on thirty (30) days’ written notice without penalty.
7.3 Sub-Processor Requirements
Before engaging any Sub-Processor, iSportz shall enter into a written agreement that: (a) restricts the Sub-Processor to processing Organization Data only for the purposes specified; (b) requires appropriate technical and organizational security measures; (c) requires prompt notification to iSportz of any Personal Data Breach; (d) prohibits onward sub-processing without iSportz’s written consent; and (e) imposes COPPA-specific restrictions where Child User data may be processed.
7.4 COPPA Restrictions on Sub-Processors
No Sub-Processor authorized under this DPA shall be permitted to: (a) collect Personal Data directly from Child Users; (b) use Child User data for advertising, behavioral profiling, or any commercial purpose; (c) combine Child User data with data from other sources; or (d) retain Child User data beyond the period necessary to perform the Sub-Processor’s specific function. iSportz shall include binding COPPA-equivalent restrictions in all Sub-Processor agreements where Child User data may be accessed.
8. DATA RETENTION AND DELETION
8.1 Retention Schedule
iSportz shall retain Organization Data only as long as necessary to provide the iSportz Services and to fulfill legal obligations. The following schedule mirrors MSA Section 6.5 and is legally binding on iSportz:
8.2 Deletion on Termination
Upon termination or expiration of the MSA (or upon the Organization’s written request at any time), iSportz shall, at the Organization’s written election within the 30-day post-termination window: (a) securely delete all Organization Data from iSportz’s active systems; or (b) return all Organization Data to the Organization in a commonly used, machine-readable format (CSV, JSON, or equivalent), following which iSportz shall delete its copies. iSportz shall provide written confirmation of deletion or return within forty-five (45) days. Retention beyond these periods is permitted only where required by applicable law, in which case iSportz shall notify the Organization of the specific legal basis.
8.3 Secure Deletion Methods
All deletion of Organization Data shall use secure deletion methods that render data unrecoverable from active systems. Backup data shall be purged through the scheduled backup rotation process. iSportz shall maintain documentation of deletion procedures and shall provide the Organization with written confirmation of deletion upon request.
9. SENSITIVE PERSONAL INFORMATION
9.1 Categories Processed
In providing the iSportz Services to US-based Organizations, iSportz may process the following categories of Sensitive Personal Information:
9.2 Restrictions on SPI Use
iSportz shall use Sensitive Personal Information only as necessary to provide the iSportz Services as specified in this DPA and the MSA. iSportz shall not: (a) sell SPI; (b) share SPI for cross-context behavioral advertising; (c) use health data, racial/ethnic data, or government ID data for any purpose unrelated to the specific Service function for which it was provided; or (d) use SPI to infer characteristics about individuals beyond what is necessary to provide the iSportz Services. The Organization may instruct iSportz to limit or cease processing of any SPI category at any time by written notice to privacy@isportz.co.
10. GOVERNING LAW, DISPUTE RESOLUTION, AND LIABILITY
10.1 Governing Law
This DPA shall be governed exclusively by the laws of the State of Florida, United States, without regard to its conflict of laws principles. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods does not apply to this DPA. This DPA governs US domestic data processing only.
10.2 Jurisdiction and Venue
Any dispute arising under this DPA that is not resolved by the parties within thirty (30) days of written notice shall be subject to the dispute resolution and arbitration provisions of the MSA (Section 18), with venue in Seminole County, Florida. The parties hereby submit to the exclusive personal jurisdiction of the state and federal courts located in Seminole County, Florida for any dispute not subject to arbitration.
10.3 Regulatory Jurisdiction
iSportz acknowledges that its data processing activities are subject to the regulatory jurisdiction of: (a) the Federal Trade Commission (FTC) for COPPA compliance and Section 5 FTC Act matters; (b) the California Privacy Protection Agency (CPPA) and California AG for CCPA/CPRA matters; (c) applicable State Attorneys General for breach notification and State privacy law matters; and (d) the Florida AG for Florida Digital Bill of Rights and Florida Information Protection Act matters. iSportz shall cooperate with each of these regulatory bodies as required by applicable law.
10.4 Liability
Each party’s liability under or in connection with this DPA is subject to the limitations of liability set out in MSA Section 10.2, except that there shall be no cap on liability for: (a) iSportz’s breach of Section 5 (COPPA obligations); (b) iSportz’s failure to notify the Organization of a breach within the timeframes in Section 4; (c) iSportz’s unauthorized sale or sharing of Organization Data; or (d) willful misconduct or gross negligence in connection with the processing of Child User data. Each party shall be solely responsible for regulatory fines and penalties imposed as a result of that party’s own violations of applicable Data Protection Legislation.
10.5 DPA Precedence
In the event of any conflict between this DPA and the MSA on matters relating to the processing of Personal Data, this DPA shall prevail. In all other respects, the MSA governs the parties’ relationship.
11. GENERAL PROVISIONS
11.1 Term
This DPA is effective as of the Effective Date of the MSA and continues for the duration of the MSA. Sections 4 (breach notification), 5 (COPPA), 8 (retention/deletion), 9 (sensitive data), 10 (governing law and liability), and this Section 11 survive termination.
11.2 Amendments
iSportz may update this DPA from time to time to reflect changes in applicable Data Protection Legislation, new US State privacy laws, regulatory guidance, or material changes to iSportz’s processing activities. iSportz shall notify the Organization at least thirty (30) days in advance of any material change via email or Platform notification. Continued use of the iSportz Services after the effective date of any update constitutes acceptance. If an update materially reduces the Organization’s rights or iSportz’s obligations, the Organization may terminate the affected Services on written notice within thirty (30) days without penalty.
11.3 Future International Expansion
If iSportz expands its business to serve Organizations outside the United States, iSportz shall update this DPA with appropriate jurisdictional terms before commencing such processing, and shall notify the Organization at least sixty (60) days in advance.
11.4 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force and effect. The invalid provision shall be replaced by a valid provision that comes as close as possible to the original intent of the parties.
11.5 Privacy Contact
All data protection inquiries, Consumer Rights Requests, COPPA parental rights requests, breach notifications, and DPA-related communications shall be directed to: privacy@isportz.co | iSportz, Inc., Attn: Privacy Officer, 956 International Pkwy, Ste. 1590, Lake Mary, FL 32746.
11.6 Entire Agreement on Data Processing
This DPA, together with the MSA, the Children’s Privacy Policy, and the Schedules hereto, constitutes the entire agreement between the parties with respect to iSportz’s processing of Organization Data and supersedes all prior agreements on that subject matter.
SCHEDULE 1 — PROCESSING OVERVIEW
A. PARTIES
Organization (Controller / Business)
The Organization is the entity identified in the MSA — a US-based sports governing body, federation, league, team, club, school, university, or similar organization. Contact details are set out in the applicable Pricing Agreement or account registration.
B. DESCRIPTION OF PROCESSING
1. Categories of Data Subjects
- US-based athletes of all ages, including child athletes under 13 (data entered by parent/guardian or adult Administrator only);
- Parents and legal guardians of athletes;
- Coaches, managers, volunteers, and administrative staff;
- Organization Administrators; and
- Event participants, officials, and other sports program participants.
2. Categories of Personal Data
Data Subject | Categories of Personal Data |
All athletes (including child athletes) | Name, date of birth, gender, contact information (parent/guardian contact for child athletes), club/association membership, ability group, attendance history, competition results, performance statistics, emergency contact information, team assignment, jersey number |
Child athletes (under 13 specifically) | Same as above — ALL data entered exclusively by parent, legal guardian, or authorized adult Administrator. iSportz does not collect any data directly from the child. |
Parents / legal guardians | Name, contact details (email, phone, address), relationship to athlete |
Coaches, staff, volunteers | Name, contact details, role and qualifications, association membership, background check results (where applicable — processed by NCSI sub-processor) |
Administrators | Name, contact details, account credentials (hashed), access logs, role and system permissions |
3. Sensitive Personal Information
iSportz may process the following SPI categories where provided by the Organization: health/medical data; financial account data (via Payment Processing Agreement); government ID numbers (for background checks); precise geolocation; racial or ethnic origin (where voluntarily disclosed). See Section 9 of this DPA for applicable restrictions.
4. Frequency of Transfer
Organization Data is transferred to iSportz on a continuous basis throughout the term of the MSA.
5. Nature and Purpose of Processing
iSportz processes Organization Data to: (a) host, maintain, and operate the iSportz Platform and all associated data infrastructure within the United States; (b) grant authorized Members controlled electronic access to the Platform; (c) provide sports management functions including membership, event registration, scheduling, results recording, and communications; (d) process payments through the iSportz Payments service; (e) generate reports and analytics for the Organization; and (f) provide technical support and customer service.
6. Retention Period
Per the Data Retention Schedule in Section 8.1 of this DPA and MSA Section 6.5.
7. Regulatory Jurisdiction
Federal Trade Commission (FTC) for COPPA matters. California Privacy Protection Agency (CPPA) and California AG for CCPA/CPRA. Applicable State AGs for State breach notification and State privacy law matters. Florida AG for FDBR and Florida Information Protection Act matters.
SCHEDULE 2 — TECHNICAL AND ORGANIZATIONAL MEASURES
⚠ REALISTIC COMMITMENT STATEMENT: The measures below reflect what iSportz currently implements or uses through its AWS infrastructure. Where a measure references AWS, it covers the infrastructure layer. iSportz is responsible for the application layer above the AWS infrastructure. iSportz does not represent that it currently holds SOC 2 Type II certification or has conducted a third-party penetration test. iSportz commits to working toward SOC 2 certification and to conducting its first third-party penetration test within 12 months of the Effective Date of this DPA.
A. Infrastructure Security — Provided by AWS
iSportz hosts the Platform on Amazon Web Services (AWS) infrastructure located in the United States. AWS maintains the following certifications and controls that cover the infrastructure layer on which iSportz operates:
- SOC 1, SOC 2, and SOC 3 reports (available at https://aws.amazon.com/compliance/soc-faqs/);
- PCI-DSS Level 1 certification for payment-related infrastructure;
- Physical data center security (access controls, CCTV, biometric access, 24/7 staffing);
- Network perimeter security (firewalls, DDoS mitigation, intrusion detection at the infrastructure level);
- High availability and redundancy across multiple AWS availability zones; and
- AWS data center locations: United States only (consistent with US-only business scope).
iSportz will provide the Organization with the applicable AWS SOC 2 report upon written request, subject to AWS confidentiality requirements.
B. Encryption
- Data in transit: All communications between users and the iSportz Platform use TLS 1.2 or higher encryption. This is enforced at the application level and is a current operational commitment.
- Data at rest: iSportz uses AWS storage services (S3, RDS) with server-side encryption enabled. iSportz is responsible for confirming that encryption-at-rest is enabled for all storage buckets and databases containing Organization Data. [ACTION ITEM: Confirm with iSportz tech team before DPA publication.]
- Payment card data: Handled exclusively by Stripe (PCI-DSS Level 1 certified). iSportz does not store raw card numbers.
- Passwords: User passwords are stored as hashed values using industry-standard hashing algorithms (bcrypt or equivalent). Plain-text passwords are never stored.
C. Access Control — Application Layer
- Role-based access control (RBAC): Access to Organization Data within the Platform is controlled by user roles assigned by the Organization’s Administrator. iSportz personnel access to production Organization Data is limited to authorized engineering and support staff.
- iSportz personnel authentication: iSportz implements password requirements for staff systems. iSportz will implement multi-factor authentication (MFA) for all staff with access to production systems containing Organization Data within 90 days of the Effective Date of this DPA.
- Access revocation: iSportz maintains a procedure to revoke staff access to Organization Data upon termination of employment or change of role. Access revocation is completed within one business day of a termination event.
- Privileged access: Administrative access to iSportz’s production systems is restricted to a documented list of authorized personnel and is reviewed quarterly.
D. Availability and Business Continuity
- AWS infrastructure provides multi-availability-zone redundancy for iSportz’s primary data storage and compute services.
- iSportz performs automated daily backups of Organization Data. Backups are encrypted and stored in AWS S3.
- Recovery Point Objective (RPO): 24 hours (daily backup frequency).
- Recovery Time Objective (RTO): iSportz targets restoration of core Platform functionality within 4 hours for Priority 1 incidents. This is a target, not a guaranteed SLA for all scenarios.
- iSportz maintains a documented disaster recovery procedure. This procedure is tested at least annually.
E. Personnel Security
- All iSportz personnel with access to production systems or Organization Data are required to sign a confidentiality agreement as a condition of employment or engagement.
- iSportz conducts background checks on US-based personnel with access to production systems, consistent with applicable law.
- iSportz provides data protection and COPPA-specific security training to all personnel who may access Organization Data, at onboarding and annually thereafter.
- iSportz maintains a clean desk and screen lock policy for personnel working with Organization Data.
F. Incident Response
- iSportz maintains a written Incident Response Plan covering detection, containment, eradication, recovery, and post-incident review.
- iSportz maintains the ability to notify the Organization of a Personal Data Breach within 72 hours (COPPA breaches: 48 hours) from the time iSportz becomes aware of the breach.
- iSportz designates privacy@isportz.co as the primary breach notification contact for all data security incidents.
- iSportz conducts a post-incident review for any confirmed breach and provides a written report to the Organization within 30 days of resolution.
G. Vendor / Sub-Processor Security
- iSportz reviews the security practices of all new Sub-Processors before engagement and requires Sub-Processors to maintain data protection standards equivalent to this Schedule.
- iSportz includes contractual data protection and COPPA restrictions in all Sub-Processor agreements where Organization Data may be accessed.
- iSportz maintains a current list of authorized Sub-Processors in Schedule 3 and provides 30 days’ advance notice of any changes.
H. Security Improvement Commitments
✔ COMMITTED ACTIONS (not yet completed but binding commitments):
Commitment | Target Date | Priority |
Implement MFA for all iSportz staff with production system access | Within 90 days of DPA Effective Date | Critical |
Confirm AES-256 / server-side encryption enabled on all AWS S3 buckets and RDS instances containing Organization Data | Within 60 days of DPA Effective Date | Critical |
Conduct first internal security audit and vulnerability scan | Within 180 days of DPA Effective Date | High |
Conduct first third-party penetration test | Within 12 months of DPA Effective Date | High |
Complete SOC 2 Type II readiness assessment | Within 18 months of DPA Effective Date | Medium |
Implement quarterly privileged access reviews (documented) | Within 90 days of DPA Effective Date | High |
SCHEDULE 3 — AUTHORIZED SUB-PROCESSORS
The following Sub-Processors are authorized by the Organization through acceptance of the MSA. iSportz shall provide 30 days’ advance notice of any additions or replacements. All Sub-Processors operate in the United States (or are US entities with US-based processing for iSportz’s US business).
CURRENT LIST: This Schedule 3 reflects iSportz’s current authorized Sub-Processors as of the Last Updated date above. iSportz maintains this list and will provide 30 days’ advance notice of any additions, replacements, or removals. The Organization may also request the current list at any time by emailing privacy@isportz.co.
ACCEPTANCE
This DPA is incorporated into and forms part of the iSportz Master Service Agreement. By accepting the MSA, the Organization and iSportz are deemed to have accepted this DPA as of the MSA Effective Date, without any separate execution being required.
Organizations that require a separately executed DPA for enterprise procurement or compliance purposes may request a countersigned copy by emailing privacy@isportz.co. The terms of any separately executed DPA shall be identical to this version unless separately negotiated in writing.

