Data Processing Agreement (DPA)

1. Subject matter

Establish the terms under which AppByte processes Customer Data, define security obligations, sub-processors, international transfers, assistance to Data Subjects, incident notification, and return and deletion.

2. Customer instructions

AppByte will process Customer Data only in accordance with the Customer's documented instructions and these Terms of service. Use of the Service constitutes instruction for the processing necessary to provide it (storage, processing, transmission, backup, support, security).

3. Subject matter, duration and categories

• Duration: while the contract is in force and applicable retention periods.
• Nature and purpose: host, process, transmit, back up and display Customer Data to operate the UWOD Service.
• Categories of Data Subjects: members, athletes, prospective members, emergency contacts, representatives, and Customer staff (coaches, front-desk personnel and administrators) and other third parties uploaded by the Customer.
• Categories of data: identification and contact; classes, reservations and attendance; plans, memberships and membership payment metadata; WOD and training results, PRs and benchmarks, progress stats and sport metrics (some of which may be health-adjacent and therefore sensitive); the gym's own financial records (income, expenses and cash); images and documents; staff data; audit data.

4. AppByte obligations

1. Process data only under the Customer's documented instructions, except as required by law.
2. Ensure confidentiality of authorized personnel.
3. Implement reasonable technical and organizational measures consistent with the Security policy.
4. Reasonably assist the Customer in responding to Data Subject requests.
5. Notify security incidents without undue delay and, where feasible, within 72 hours of internal confirmation.
6. Delete or return the data on contract termination per the Privacy policy and the Customer's instructions.
7. Make available to the Customer reasonable information demonstrating compliance with this DPA.

5. Sub-processors

1. The Customer authorizes AppByte to use sub-processors as listed in the public sub-processor list.
2. AppByte will notify the addition of material sub-processors at least 30 calendar days in advance, except for security urgency. The Customer may object with reasoned grounds; if unresolved, it may terminate the contract without penalty.
3. AppByte will impose equivalent obligations on sub-processors where applicable.

6. International transfers

Productive infrastructure operates primarily in the United States (Contabo US East, MongoDB Atlas us-east-1, Cloudinary) and over Cloudflare's global network. AppByte adopts reasonable contractual and technical safeguards for international transfers. Per-provider and region detail is published in the sub-processor list.

7. Data Subject rights

AppByte will assist the Customer with reasonable means (Platform interfaces, export, logical deletion) to handle access, rectification, deletion, opposition, restriction and portability requests. Requests from Data Subjects whose data were uploaded by the Customer are channeled through the Customer; AppByte executes technically what the Customer requests.

8. Incidents

Minimum content of incident notification: nature of the incident, estimated date, affected data and Data Subjects, measures taken, recommendations for the Customer, point of contact and follow-up updates. AppByte may limit details when investigation is ongoing or where justified for security or confidentiality reasons.

9. Audit

The Customer may request reasonable information and available certifications. On-site audits require prior notice, limited scope, confidentiality agreements and costs borne by the Customer, except where AppByte's breach is confirmed.

10. Return and deletion

On contract termination: 30 calendar days export window (operational Customer data only); subsequent production deletion; backup overwriting within a maximum of 90 calendar days, subject to legal retention. Export does not include source code, database schemas, technical architecture, internal models, software business logic or any structural element of the Platform.

11. Liability

The liability limitation in the Terms of service (a total cap equal to the amounts actually paid by the Customer during the 12 months prior to the event giving rise to the claim, unless applicable law requires a different standard or a validly executed annex sets a different limit) also applies to this DPA, without prejudice to mandatory rules that cannot be validly waived.

12. Conflict between documents

In case of conflict between this DPA and the Terms of service on personal data matters, this DPA prevails.

13. Contact

Queries on this DPA or personal data processing: dpo@uwod.app.