Data Processing Agreement (DPA)

1. Roles

For Client data entered by the Coach, the Coach acts as controller within the meaning of Article 4(7) GDPR and the Operator acts as processor within the meaning of Article 4(8) GDPR.

For the Coach's own account data the Operator is the controller; that processing is governed by the Operator's Privacy Policy and not by this DPA.

2. Subject, duration, nature and purpose

The subject of processing is the processing of Client data for the purpose of providing CoachReview as defined in the Terms.

The nature of processing covers collection, recording, storage, organisation, modification, display, disclosure to the Coach only, restriction and erasure within the Operator's IT environment.

Processing lasts for the duration of the service agreement and ends upon its termination, subject to the provisions on deletion or return.

3. Categories of data and data subjects

Categories of data: Client identification and contact data, training notes, materials, assignments, video recordings, availability calendar and related technical metadata.

Categories of data subjects: Coach's Clients, their legal guardians where applicable, and other persons whose data the Coach enters into the Service in connection with the coaching activity.

4. Processor obligations

The Operator processes data only on documented instructions from the Coach, which are the service agreement, the Terms and the configuration of the Coach's account. If Union or Member State law requires processing, the Operator informs the Coach unless prohibited from doing so.

Persons authorised by the Operator to process the data are committed to confidentiality or are under a statutory obligation of confidentiality.

5. Security (Article 32 GDPR)

The Operator implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit, role-based access control, least-privilege principle, security monitoring, regular backups, password policies and security testing.

A description of the measures is available to the Coach upon request to the extent necessary to demonstrate compliance with the GDPR.

6. Sub-processors

The Coach grants general authorisation to engage sub-processors, including hosting providers, object storage providers, transactional email providers and the payment processor. An up-to-date list of sub-processors is available on request at mindmotion.tech@gmail.com.

The Operator informs the Coach of intended additions or replacements of sub-processors at least 30 days in advance. The Coach may object on reasonable grounds; if no resolution is reached, the agreement may be terminated as set out in the Terms.

The Operator concludes contracts with each sub-processor providing for data protection obligations no less protective than those set out in this DPA and remains liable to the Coach for the acts and omissions of sub-processors.

7. Assistance and breach notification

The Operator assists the Coach, to the extent reasonable, with responding to data subject requests and meeting the obligations of Articles 32 to 36 GDPR, in particular regarding security, breach notification, data protection impact assessments and prior consultations.

The Operator notifies the Coach of a personal data breach without undue delay and in any event no later than 48 hours after becoming aware of it, providing the information needed for the Coach to meet its notification obligations.

8. Audits

The Operator makes available to the Coach all information necessary to demonstrate compliance with the obligations under the GDPR and allows for and contributes to audits, including inspections, conducted by the Coach or another auditor mandated by the Coach, on terms agreed with the Operator and respecting trade secrets and other clients' data.

The Operator may demonstrate compliance by sharing existing audit reports (e.g. SOC 2, ISO 27001) and equivalent attestations of its sub-processors.

9. International transfers

The Operator may transfer data outside the EEA only with appropriate safeguards, including Standard Contractual Clauses or other mechanisms compliant with Chapter V of the GDPR. The list of sub-processors indicates processing locations.

10. Return or deletion of data

Upon termination of the Service, the Operator – at the Coach's choice expressed before the end of the agreement – deletes or returns all personal data and deletes existing copies, unless Union or Member State law requires further storage.

The Coach may export Client data at any time using the export function provided in the Service.

11. Liability

Liability of the parties for breaches of this DPA is governed by the Terms of Service, subject to Article 82 GDPR and any other mandatory provisions of law.