Data Processing Addendum
Version 1.0 — Effective Date: pending
This Data Processing Addendum (“DPA”) is entered into between Phareon LLC, a Tennessee limited liability company (“Processor” or “CollegeRoster”), and the entity identified as the customer or subscriber in the Master Subscription Agreement or Order Form (“Controller”) (each a “Party,” together the “Parties”).
This DPA supplements and is incorporated into the Master Subscription Agreement or applicable Order Form between the Parties (the “Agreement”). In the event of any conflict between this DPA and the Agreement with respect to the subject matter of data processing, this DPA controls.
1. Definitions
“Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, CCPA/CPRA, and any other applicable federal, state, or national data protection laws.
“Controller” means the entity that determines the purposes and means of processing of Personal Data — here, the Customer organization (school, club, or other institution) described in the Agreement.
“Data Subject” means any identified or identifiable natural person to whom Personal Data relates, including athletes, parents, coaches, and staff members.
“Personal Data,” “Processing,” “Processor,” “Security Incident,” “Sub-processor,” “DSAR,” “DPIA,” “SCCs,” and “UK IDTA” have the meanings given in the full DPA document available at collegeroster.org/legal/dpa and in the legal/03-dpa-template.md source document.
2. Scope, Roles, and Duration
2.1 This DPA applies to all Processing of Personal Data by Processor on behalf of Controller in connection with the Service described in the Agreement, including the hosting of athlete profiles, management of team rosters, video delivery, messaging, and related functions.
2.2 Processor will Process Personal Data solely to provide the Service to Controller as described in the Agreement and as documented in Annex 1.
2.5 This DPA remains in force until the Agreement terminates or expires.
3. Controller Instructions and Processor Obligations
Processor will Process Personal Data only on documented instructions from Controller. Processor will not Process Personal Data for its own independent commercial purposes, will not sell Personal Data, and will not share Personal Data with third parties for cross-context behavioral advertising.
4. Sub-processors
Controller provides a general authorization for Processor to engage Sub-processors. The current Sub-processor list is:
| Sub-processor | Country | Processing Activity |
|---|---|---|
| Stripe, Inc. | USA | Payment processing and subscription management |
| Supabase, Inc. | USA | Database hosting, authentication, real-time services |
| Cloudflare, Inc. (R2) | USA (global CDN) | File and media storage |
| Bunny Way d.o.o. (Bunny Stream) | EU (Slovenia) / global CDN | Video hosting, transcoding, and delivery |
| Resend, Inc. | USA | Transactional email delivery |
| Tavily AI, Inc. | USA | AI-assisted search and discovery |
Processor will provide Controller with at least 30 days' advance notice before engaging a new Sub-processor, via email and via update to the Sub-processor list published at https://collegeroster.org/legal/subprocessors.
5. International Data Transfers
For transfers of Personal Data from the EEA or UK to the United States, the Parties incorporate the 2021 EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and, for UK transfers, the UK International Data Transfer Addendum (IDTA).
6. Security Measures
Processor implements and maintains technical and organizational security measures as described in Annex 2. At minimum these include: AES-256 encryption at rest, TLS 1.2+ in transit, MFA for all administrative access, Row-Level Security at the database layer, immutable audit logging retained for 7 years, and annual penetration testing.
7. Confidentiality and Personnel
All Processor personnel who Process Personal Data are bound by written confidentiality obligations. Access to Personal Data is restricted on a least-privilege basis and revoked promptly upon role change or termination.
8. Audit Rights
Upon written request (no more than once per calendar year absent cause), Processor will provide Controller with a summary of data protection practices and copies of relevant third-party audit reports. On-site audits require 60 days' advance written notice.
9. Security Incident Notification
In the event of a confirmed or reasonably suspected Security Incident involving Personal Data, Processor will notify Controller within 72 hours of becoming aware of the incident.
10. Data Protection Impact Assessments
Processor will, upon written request, provide reasonable cooperation and information to enable Controller to complete DPIAs required under GDPR Article 35 or analogous law.
11. Return and Deletion of Data
Upon termination or expiry of the Agreement, Processor will, at Controller's election, return or delete all copies of Controller's Personal Data from active systems, and delete from backup systems within 30 days.
12. Liability and Indemnity
The liability of each Party under this DPA is subject to and governed by the limitations of liability in the Agreement.
13. Governing Law
This DPA is governed by the law designated in the Agreement.
Annex 1 — Description of Processing
| Item | Detail |
|---|---|
| Nature of Processing | Hosting, storage, display, retrieval, and transmission of athlete and organizational data |
| Purpose of Processing | Providing the CollegeRoster Service to the Controller's organization |
| Categories of Data Subjects | Athletes (including minors); parents/guardians; coaches; recruiters; administrative staff |
| Categories of Personal Data | Identifiers (name, email, account ID); profile data; media content (photos, videos); communication records; login credentials (hashed); payment-related identifiers (via Stripe) |
| Sensitive Categories (if any) | Age (for COPPA compliance) only. No biometric, health, or financial data intentionally processed. |
| Special Categories (GDPR Art. 9) | Not intentionally processed. CollegeRoster does not intentionally collect health, biometric, or disability data. Athlete profile fields (height, weight, sport, position) are athletic performance metrics, not medical information. |
Annex 2 — Technical and Organizational Security Measures
Security measures include AES-256 encryption at rest, TLS 1.2+ in transit, RBAC and RLS at the database layer, MFA for all administrative accounts, immutable audit logging, annual penetration testing, and confidentiality agreements for all personnel with data access. Recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 24 hours.
Annex 3 — Current Sub-processors
| Sub-processor | Entity Location | Processing Location(s) | Service | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc | Delaware (USA) | USA (primary) | Database, auth, real-time | SCCs / no transfer outside US |
| Cloudflare Inc | Delaware (USA) | Global CDN | R2 file/media storage | SCCs / no transfer outside US |
| Bunny.net by BunnyWay d.o.o. | Slovenia (EU) | EU + global CDN | Video hosting/transcoding | SCCs for EEA transfer — DPA execution tracked in issue #305 |
| Resend | Delaware (USA) | USA | Transactional email | SCCs / no transfer outside US — DPA execution tracked in issue #305 |
| Stripe, Inc. | Delaware (USA) | USA | Payment processing | SCCs / no transfer outside US |
| Tavily AI, Inc. | USA | USA | AI search features | SCCs / no transfer outside US |
Phareon LLC is a Tennessee limited liability company. This DPA is not legally effective until executed by both Parties.