Data Processing Agreement (DPA)
Last updated: 2026-04-17
This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and forms an integral part of the SaaS License Agreement ("Main Agreement") between the parties.
1. Parties and Background
This DPA is entered into between:
- Data Controller — The Customer as defined in the Main Agreement (the federation, confederation, or organization that subscribes to the Service).
- Data Processor — Easy Software System In Europe AB, org. nr 556967-4822, VAT SE556967482201, registered in Sweden.
2. Scope of Processing
The Processor processes Personal Data on behalf of the Controller as described below:
- Purpose — To provide the Petanque Life SaaS platform, including member management, competition management, licensing, communication, and all related features described in the Main Agreement.
- Categories of Personal Data — Name, email, phone number, date of birth, gender, nationality, postal address, license numbers, competition results, medical certificates (where applicable), financial transaction records, photographs, and any other data entered by the Controller or its Users.
- Categories of Data Subjects — Players, club members, officials, referees, coaches, administrators, spectators (where registered), and any other persons whose data is entered into the Service by the Controller.
- Duration — For the duration of the Main Agreement, plus a retention period of 90 days after termination for data export and deletion.
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required by Union or Member State law.
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption (TLS 1.2+, AES-256), access controls (JWT ES512, RBAC), regular security testing, and incident response procedures.
- Not engage another processor without prior written authorization from the Controller (general authorization is granted for the sub-processors listed in Section 4).
- Assist the Controller in responding to requests from data subjects exercising their rights under GDPR Articles 15–22.
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits.
4. Sub-Processors
The Controller grants general authorization for the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
Current sub-processors:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, web hosting, compute, container services | EU (North Europe) |
| Azure Cosmos DB | Database (MongoDB API), primary data storage | EU (North Europe) |
| SendGrid (Twilio) | Transactional email delivery (license confirmations, notifications) | EU |
| 46elks | SMS delivery (OTP, notifications) | Sweden (EU) |
| Stripe | Payment processing (license fees, subscriptions) | EU |
| Plausible Analytics | Privacy-friendly website analytics (no personal data processed) | EU |
5. International Data Transfers
All Personal Data is stored and processed within the EU/EEA. The primary data center is Azure North Europe (Ireland).
No Personal Data is transferred to third countries outside the EU/EEA. Should a transfer become necessary in the future, the Processor shall ensure that appropriate safeguards are in place in accordance with GDPR Chapter V (e.g., Standard Contractual Clauses or an adequacy decision).
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.
The Processor shall promptly inform the Controller if it receives a request directly from a data subject. The Processor shall not respond to such requests directly unless instructed to do so by the Controller.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any case within 48 hours) after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Processor's data protection contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
8. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's business operations. The Controller shall bear its own costs for audits.
9. Data Deletion and Return
Upon termination of the Main Agreement:
- The Controller may request export of all Personal Data in standard formats (JSON, CSV) within 90 days of the termination date.
- After the 90-day export period, all Personal Data shall be permanently and irreversibly deleted from the Processor's systems, including all backups.
- The Processor shall provide written confirmation of deletion upon request.
10. Term and Governing Law
This DPA shall remain in force for the duration of the Main Agreement and for as long as the Processor processes Personal Data on behalf of the Controller. This DPA is governed by Swedish law, and disputes shall be resolved in accordance with the dispute resolution clause in the Main Agreement.
For questions regarding this DPA, contact the Data Protection Officer at support@petanque.life.