Data Processing Agreement (DPA)

SPORTS GLOBAL – DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between Sports Global (Pty) Ltd (Reg No: 2016/168730/07) (“Processor”, “Sports Global”) and the League Tenant customer identified in the Order Form / Subscription (“Controller”, “Customer”).

If there is a conflict between this DPA and the main agreement, this DPA governs only personal data processing terms.

1) Definitions

• “Applicable Data Protection Law” means POPIA and, where applicable, GDPR and any other laws that apply to the processing of Personal Data under the agreement.

• “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.

• “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject” have the meanings under Applicable Data Protection Law.

• “Customer Data” means Personal Data submitted to, stored in, or processed by the Platform on Customer’s behalf.
  

2) Roles of the parties

2.1 Customer as Controller. Customer is the Controller of Customer Data (including fans/users, officials, staff, and other end users within the League Tenant), and determines purposes and means of processing for league-specific use.

2.2 Sports Global as Processor. Sports Global processes Customer Data as a Processor to provide and operate the Platform per the agreement and Customer’s documented instructions.

2.3 Independent Controller processing. Sports Global may process limited data as an independent controller for platform-wide purposes such as security, fraud prevention, billing, and platform analytics, as described in the Sports Global Privacy Policy (to the extent that policy applies to that processing).

3) Details of processing

3.1 Subject matter: Provision of the Sports Global Platform (league operations + fan experience + FanHub features as enabled).

3.2 Duration: For the term of the agreement and any period thereafter where Sports Global retains data per Section 10 (return/deletion) or as required by law.

3.3 Nature and purpose: Hosting, storing, displaying, transmitting, securing, and otherwise processing Customer Data to provide Platform features, support, moderation tooling, analytics (if enabled), and operational functionality.

3.4 Categories of Data Subjects: End users/fans; league admins/moderators; league staff; players/officials (if profiles are created); Customer employees/contractors.

3.5 Types of Personal Data (may include):

• Account identifiers (name, email, username)

• League admin/staff roles and permissions

• FanHub content and metadata (posts/comments/media as uploaded)

• Usage data (device/browser, interaction logs, IP-derived approx location)

• Support communications

• Payment/customer admin billing metadata (Stripe IDs, plan status-no full card data)

3.6 Special categories: Not intentionally processed. Customer will not upload special-category data (health, biometric, etc.) unless expressly agreed in writing with appropriate safeguards.

4) Customer instructions

4.1 Sports Global will process Customer Data only on Customer’s documented instructions, including as necessary to provide the services, unless required by law.

4.2 Customer is responsible for ensuring its instructions comply with law. Sports Global will notify Customer if an instruction appears unlawful (where permitted).

5) Sports Global obligations (Processor)

Sports Global will:

• implement appropriate technical and organisational security measures (see Section 8),

• ensure personnel with access to Customer Data are bound by confidentiality,

• assist Customer with Data Subject requests and regulatory enquiries as set out in Section 7,

• notify Customer of a Personal Data Breach relating to Customer Data without undue delay (see Section 9),

• make available information reasonably necessary to demonstrate compliance with this DPA.
  

6) Sub-processors

6.1 General authorisation. Customer authorises Sports Global to use Sub-processors to provide the Platform.

6.2 Current Sub-processors (as of v1):

• Supabase – database, authentication, storage

• Vercel – web hosting/infrastructure (as applicable)

• Stripe – Payments processing (for billing/subscriptions)

• MailerSend – email delivery (transactional/service emails)

• Google Analytics – analytics (if enabled by Customer/Platform settings)

• Google AdSense – advertising delivery/measurement (if enabled)
  6.3 Sub-processor obligations. Sports Global will impose contractual obligations on Sub-processors that are no less protective than this DPA.
  6.4 Changes. Sports Global may update Sub-processors from time to time. Where required by law, Sports Global will provide notice of material changes and allow Customer to object on reasonable grounds.
  

7) Assistance with Data Subject requests and compliance

7.1 Taking into account the nature of processing, Sports Global will reasonably assist Customer to respond to Data Subject requests (access, deletion, correction, export) relating to Customer Data.

7.2 Customer is primarily responsible for responding to such requests. Sports Global may refer a Data Subject to Customer where the request relates to league-controlled processing.

7.3 Sports Global will provide reasonable assistance with DPIAs or prior consultations where required and where Customer’s use requires it, subject to reasonable fees if the workload is significant.

8) Security measures

Sports Global maintains safeguards appropriate to the risk, including (as applicable):

• encryption in transit (TLS) and encryption at rest (provider-managed where supported),

• access controls and least-privilege permissions,

• audit logging for admin actions (where implemented),

• secure secret management and no secrets in source control,

• backups and restore procedures,

• rate limiting and abuse prevention controls on public endpoints,

• monitoring and alerting for incidents.
  

Customer is responsible for:

• configuring its tenant roles/permissions appropriately,

• maintaining secure admin accounts and MFA where available,

• ensuring it does not upload unnecessary personal data.
  

9) Personal Data Breach notification

9.1 Sports Global will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.

9.2 Notification will include, to the extent known:

• nature of the incident,

• likely consequences,

• measures taken or proposed,

• recommended steps Customer can take.

9.3 Sports Global will cooperate with Customer in investigating and mitigating the breach.
9.4 Customer is responsible for notifications to regulators/data subjects unless the parties agree otherwise.

10) Return and deletion of Customer Data

10.1 Upon termination, Sports Global will, at Customer’s choice and where feasible:

• provide export of Customer Data, and/or

• delete Customer Data within a reasonable period.

10.2 Sports Global may retain Customer Data where required by law or for legitimate purposes such as fraud prevention, dispute handling, security, and backups (with access restricted).

11) Audits

11.1 Customer may audit Sports Global’s compliance with this DPA no more than once per year, on reasonable notice, during business hours, and subject to confidentiality.

11.2 Sports Global may satisfy audit requests by providing third-party reports, summaries, or written attestations where appropriate.

11.3 Customer will bear its own costs and reimburse Sports Global for reasonable costs of extensive audits.

12) International transfers

Customer acknowledges that service providers may process data in other countries. Sports Global will implement appropriate safeguards for cross-border transfers where required by Applicable Data Protection Law.

13) Liability

Liability under this DPA is subject to the liability limitations in the main agreement, unless prohibited by law.

14) Contact

DPA/privacy contact: privacy@sportsglobal.eu

Support contact: support@sportsglobal.eu

Schedule A – Processing details

The processing details in Section 3 form Schedule A.