Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between B.E.S.A ("BESA Coaching") and users of the BESA Coaching platform ("Users"), including Coaches and Clients. It governs all processing of personal data carried out by BESA Coaching in connection with the provision of the Platform and its services.

This DPA is designed to ensure compliance with applicable data protection laws, including:

• EU General Data Protection Regulation (GDPR) 2016/679, including Article 28 (Processor obligations)
• UK General Data Protection Regulation (UK GDPR)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Other applicable U.S. state and federal privacy laws

This DPA applies to all personal data processed by BESA Coaching on behalf of Coaches (as independent data controllers) and to personal data processed by BESA Coaching as an independent controller for its own business purposes.

Terms used in this DPA have the meanings given in the GDPR, CCPA/CPRA, and VCDPA, as applicable. Key definitions include:

• "Personal Data" Any information relating to an identified or identifiable natural person ("Data Subject").
• "Processing" Any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Controller" The natural or legal person that determines the purposes and means of processing personal data.
• "Processor" The natural or legal person that processes personal data on behalf of the Controller.
• "Sub-Processor" Any third party engaged by the Processor to process personal data on behalf of the Controller.
• "Data Subject" The identified or identifiable natural person to whom personal data relates.
• "Personal Data Breach" A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
• "Supervisory Authority" An independent public authority responsible for monitoring the application of data protection law (e.g., EU Member State DPA, UK ICO).
• "Standard Contractual Clauses" (SCCs) Contractual clauses approved by the European Commission for international data transfers.

The parties acknowledge the following data processing roles, which may vary depending on the context:

3.1 BESA Coaching as Independent Controller

BESA Coaching acts as an independent Controller for personal data it collects and processes for its own business purposes, including:

• Account registration and management
• Subscription billing and payment processing
• Platform analytics and performance monitoring
• Fraud prevention and security
• Legal and regulatory compliance (including tax reporting)
• Marketing communications (with consent where required)

3.2 BESA Coaching as Processor on Behalf of Coaches

BESA Coaching acts as a Processor when processing personal data on behalf of Coaches specifically, when storing and managing Client data that Coaches collect through Platform features, including:

• Session notes and coaching records created by Coaches
• Client intake form responses collected through Coach-configured forms
• Goal tracking and action plan data entered by Clients at Coach direction
• Client progress data and session history managed by Coaches

3.3 Coaches as Independent Controllers

Coaches act as independent Controllers for personal data they collect from their Clients through the Platform. Coaches are independently responsible for ensuring their data collection and processing activities comply with applicable data protection laws, including obtaining any required consents from Clients.

3.4 Joint Controllership

In certain contexts (e.g., booking data that serves both BESA Coaching's operational purposes and the Coach's service delivery purposes), BESA Coaching and the Coach may act as joint Controllers. In such cases, each party is responsible for its own processing activities and for complying with applicable law with respect to those activities.

• Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide Platform services, process bookings, facilitate payments, and fulfill contractual obligations. Primary basis for most processing.
• Legitimate Interests (GDPR Art. 6(1)(f)): Fraud prevention, platform security, abuse detection, service improvement, and direct marketing to existing users where our interests are not overridden by Data Subject rights.
• Legal Obligation (GDPR Art. 6(1)(c)): Compliance with tax laws (IRS 1099-NEC reporting), anti-money laundering requirements, financial regulations, and responses to lawful government requests.
• Consent (GDPR Art. 6(1)(a)): Marketing communications to new users, optional analytics features, and non-essential cookies. Consent may be withdrawn at any time.
• Vital Interests (GDPR Art. 6(1)(d)): Emergency situations requiring processing to protect the vital interests of a Data Subject or another person.
• CCPA/CPRA: Processing is for disclosed business purposes as described in the Privacy Policy. We do not sell personal information or share it for cross-context behavioral advertising.

When acting as a Processor on behalf of Coach Controllers, BESA Coaching agrees to the following obligations in accordance with GDPR Article 28:

• Process personal data only on documented instructions from the Controller (the Coach), unless required to do so by applicable law in which case BESA Coaching will inform the Controller before processing, unless prohibited by law
• Ensure that all personnel authorized to process personal data are subject to binding confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 8
• Not engage Sub-Processors without prior written authorization from the Controller general authorization is granted for the Sub-Processors listed in Section 7
• Assist the Controller in responding to Data Subject rights requests within applicable timeframes
• Assist the Controller in ensuring compliance with security obligations (Art. 32), breach notification obligations (Arts. 33-34), data protection impact assessments (Art. 35), and prior consultation requirements (Art. 36)
• At the choice of the Controller, delete or return all personal data upon termination of services, and delete existing copies unless retention is required by applicable law
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations
• Allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to the conditions in Section 14

BESA Coaching uses the following authorized Sub-Processors. By accepting this DPA (through acceptance of the Terms of Service), Controllers grant general authorization for BESA Coaching to engage these Sub-Processors. All Sub-Processors are bound by data processing agreements consistent with this DPA and GDPR Article 28 requirements:

Sub-Processor Changes. BESA Coaching will notify Controllers of any intended changes to Sub-Processors (additions or replacements) with at least 30 days' advance notice via email or Platform notification. Controllers who object to a new Sub-Processor on reasonable data protection grounds may terminate their account within the notice period. Continued use of the Platform after the notice period constitutes acceptance of the new Sub-Processor.

BESA Coaching implements the following security measures, appropriate to the risk level of the data processed, in accordance with GDPR Article 32:

Technical Measures

• TLS 1.2+ encryption for all data in transit between clients and servers (encryption in transit)
• AES-256 encryption for sensitive personal data stored at rest in databases (encryption at rest)
• Bcrypt hashing with unique random salts for all user passwords plaintext passwords are never stored
• Tokenization of payment card data through Stripe raw card numbers are never stored by BESA Coaching
• Database-level encryption and comprehensive access logging with anomaly detection
• Web Application Firewall (WAF) and DDoS mitigation infrastructure
• Automated vulnerability scanning, dependency security monitoring, and patch management
• Secure session management with configurable timeout and automatic expiration
• Multi-factor authentication (MFA) support for all user accounts
• Network segmentation and firewall rules limiting access to production systems
• Regular automated backups with encrypted storage and tested recovery procedures

Organizational Measures

• Role-based access controls (RBAC) data access strictly limited to personnel with a documented, current need-to-know
• Annual security awareness training for all personnel with access to personal data
• Binding confidentiality agreements for all personnel and contractors
• Documented incident response plan with defined roles, escalation procedures, and breach notification timelines
• Regular security assessments, penetration testing (at least annually), and third-party security audits
• Vendor security assessments and contractual security requirements for all Sub-Processors
• Privacy-by-design and privacy-by-default principles applied to all new feature development
• Data minimization practices collecting only data strictly necessary for stated purposes
• Formal data classification policy governing handling of different sensitivity levels

Upon account deletion or termination of services, BESA Coaching will delete or irreversibly anonymize personal data within the timeframes above, except where retention is required by applicable law. Upon written request, BESA Coaching will provide confirmation of data deletion within 30 days.

BESA Coaching is based in the United States. Personal data may be transferred to and processed in the United States and other countries where our Sub-Processors operate. The United States does not have an adequacy decision from the European Commission for general data transfers.

For transfers of personal data from the EEA or UK to the United States, BESA Coaching relies on the following appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914 (Module 2: Controller to Processor) for EEA-to-US transfers.
• UK International Data Transfer Agreements (IDTAs): For UK-to-US transfers under UK GDPR.
• EU-U.S. Data Privacy Framework: Where applicable Sub-Processors are certified under the DPF.
• Supplementary Measures: Technical measures (encryption, pseudonymization) and contractual measures to address any residual risks identified in transfer impact assessments.

Copies of applicable transfer mechanisms and transfer impact assessments are available upon written request at [email protected].

BESA Coaching will assist Controllers in fulfilling Data Subject rights requests within applicable legal timeframes. Data Subjects may exercise the following rights by contacting [email protected]:

Identity verification may be required before processing rights requests to protect against unauthorized access. We will not charge a fee for reasonable requests but may charge a reasonable fee for manifestly unfounded or excessive requests.

In the event of a confirmed or suspected Personal Data Breach, BESA Coaching will:

• Notify affected Controllers without undue delay, and in any event within <strong>72 hours</strong> of becoming aware of the breach (where feasible), in accordance with GDPR Article 33
• Provide notification containing: (a) description of the nature of the breach; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate number of personal data records affected; (d) name and contact details of the data protection contact; (e) likely consequences of the breach; (f) measures taken or proposed to address the breach and mitigate its effects
• Cooperate with Controllers in notifying relevant Supervisory Authorities and affected Data Subjects as required by applicable law
• Take immediate steps to contain the breach, prevent further unauthorized access, and remediate the vulnerability
• Maintain a comprehensive record of all Personal Data Breaches, including those not requiring notification, in accordance with GDPR Article 33(5)
• Provide ongoing updates to Controllers as the investigation progresses

To report a security incident or suspected breach: [email protected]

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (as defined in GDPR Article 35), BESA Coaching will:

• Conduct a Data Protection Impact Assessment (DPIA) prior to implementing the processing activity
• Consult with the relevant Supervisory Authority where required under GDPR Article 36
• Assist Controllers in conducting DPIAs for processing activities carried out on their behalf
• Maintain records of DPIAs conducted and make them available to Controllers and Supervisory Authorities upon request

Processing activities that may require a DPIA include: large-scale processing of sensitive personal data, systematic monitoring of publicly accessible areas, and use of new technologies with significant privacy implications.

In accordance with GDPR Article 30, BESA Coaching maintains Records of Processing Activities (ROPA) documenting all processing activities carried out as Controller and as Processor. The ROPA includes:

• Name and contact details of the Controller and, where applicable, the joint Controller, the Controller's representative, and the Data Protection Officer
• The purposes of the processing
• A description of the categories of Data Subjects and categories of personal data
• The categories of recipients to whom personal data has been or will be disclosed
• Transfers of personal data to third countries or international organizations, including documentation of appropriate safeguards
• The envisaged time limits for erasure of the different categories of data
• A general description of the technical and organizational security measures

The ROPA is maintained in electronic form and is available to Supervisory Authorities upon request. Controllers may request a summary of processing activities carried out on their behalf by contacting [email protected].

Lawfulness, Fairness & Transparency. BESA Coaching processes personal data lawfully, fairly, and in a transparent manner. The legal bases for all processing activities are documented in the ROPA and disclosed in the Privacy Policy. Data Subjects are informed of processing activities at the time of data collection through the Privacy Policy and, where required, through specific consent notices.

BESA Coaching will provide Controllers with all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection law, including GDPR Article 28 obligations.

Audit Conditions:

• Controllers may request an audit of BESA Coaching's data processing activities no more than once per calendar year, absent a documented security incident
• Audit requests must be submitted in writing with at least 30 days' advance notice
• Audits must be conducted during normal business hours and must not unreasonably interfere with BESA Coaching's operations
• All audit costs are borne by the requesting Controller
• Auditors must be bound by confidentiality obligations acceptable to BESA Coaching
• BESA Coaching may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certification) in lieu of on-site audits, where such reports adequately address the Controller's concerns

Each party shall be liable for damages caused by processing that infringes applicable data protection law, in accordance with GDPR Article 82. Where both parties are responsible for damage caused by processing, each shall be held liable for the entire damage, with the right to claim back from the other party the part of the damage corresponding to their responsibility.

A party is exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

BESA Coaching's liability under this DPA is subject to the aggregate liability limitations set forth in the Terms of Service.

Upon termination of the agreement between BESA Coaching and a Controller (whether by account deletion, subscription cancellation, or otherwise), BESA Coaching will, at the Controller's choice:

• Delete all personal data processed on behalf of the Controller within 90 days of termination, and provide written confirmation of deletion; or
• Return all personal data to the Controller in a structured, commonly used, machine-readable format (e.g., CSV or JSON export) within 30 days of termination, and thereafter delete all copies

Exceptions apply where retention is required by applicable law (e.g., tax records, legal holds). In such cases, BESA Coaching will notify the Controller of the specific data retained and the legal basis for retention.

The obligations of this DPA that by their nature should survive termination (including security, confidentiality, and breach notification obligations) shall survive termination for as long as BESA Coaching retains any personal data subject to this DPA.

Data Protection Officer (DPO) / Privacy Contact. While BESA Coaching may not be legally required to appoint a formal DPO under GDPR Article 37 (as it does not engage in large-scale systematic monitoring or large-scale processing of special category data as a core activity), BESA Coaching has designated a Privacy Contact responsible for data protection matters: