Data Processing Addendum

1. Definitions

• • Data Protection Laws means all applicable data protection and privacy laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA/CPRA”).
• • Personal Data means Customer Data that identifies or relates to an identifiable natural person and that is processed by Island Pitch on behalf of Customer in connection with the Services.
• • Controller, Processor, Data Subject, Processing, and Personal Data Breach have the meanings given in the GDPR.
• • Sub-processor means any third party engaged by Island Pitch to process Personal Data.
• • SCCs means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 of 4 June 2021.
• • UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner's Office (version B1.0).

2. Roles of the Parties

For Personal Data of End Users processed in connection with Cloud-Hosted Deployments, Customer is the Controller and Island Pitch is the Processor. For limited operational telemetry described in Section 7 of the SaaS Subscription Agreement, Island Pitch acts as an independent Controller for its own legitimate interests in operating, securing, and improving the Services.

Each party will comply with its respective obligations under Data Protection Laws.

3. Subject Matter, Duration, Nature, and Purpose

• • Subject matter: Provision of the NextWave membership-management Services to Customer.
• • Duration: The term of the Agreement plus any post-termination period during which Customer Data is retained for export.
• • Nature and purpose of processing: Hosting, storage, transmission, display, backup, and analysis of Customer Data to provide the Services, including authentication, billing, license validation, member management, benefit redemption tracking, NFC card management, venue management, communications, and analytics.
• • Categories of Data Subjects: Customer's authorized users; Customer's members and prospective members; venue staff; visitors to Customer's site.
• • Categories of Personal Data: Names; email addresses; phone numbers; postal addresses; date of birth (if collected); membership status, tier, and history; benefit redemption records; NFC card identifiers; venue check-in records; profile photos (if uploaded); user IDs and authentication tokens; IP addresses and device information; communication content (where Customer chooses to send messages through the Plugin).
• • Special-category data: The Services are not designed to process sensitive or special-category data. Customer must not submit special-category data, criminal-history data, government-issued identification numbers, or HIPAA Protected Health Information unless the parties have separately agreed in writing.

4. Customer Instructions

Island Pitch will process Personal Data only on documented instructions from Customer, including transfers to third countries, unless required to do otherwise by applicable law (in which case Island Pitch will inform Customer before processing, unless prohibited by law). Customer's use of the Services in accordance with the Agreement constitutes its complete and final instructions to Island Pitch. Additional or alternative instructions must be agreed in writing.

Island Pitch will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

5. Confidentiality of Personnel

Island Pitch ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and have undergone reasonable training on data protection and information security.

6. Security

Island Pitch will implement and maintain appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Island Pitch's current security measures are described in Schedule 2 (Technical and Organizational Measures) below.

7. Sub-processors

Customer authorizes Island Pitch to engage Sub-processors to process Personal Data, subject to the conditions in this Section 7. The current list of Sub-processors is set forth in Schedule 1 below.

Island Pitch will: (a) impose data-protection obligations on Sub-processors that are no less protective than those in this DPA; (b) remain liable to Customer for the performance of Sub-processors' obligations; and (c) provide notice of new Sub-processors at least thirty (30) days before they begin processing, by updating Schedule 1 and (where Customer has subscribed to notifications) by email to the account's legal-notices address.

Customer may object to a new Sub-processor on reasonable data-protection grounds within thirty (30) days of notice. If the parties cannot agree on a resolution, Customer may terminate the affected portion of the Services and receive a pro-rata refund of pre-paid, unused fees.

8. Data Subject Rights

Taking into account the nature of the processing, Island Pitch will provide Customer with reasonable assistance through appropriate technical and organizational measures, insofar as possible, to enable Customer to fulfill its obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Laws (e.g., access, rectification, erasure, restriction, portability, and objection). The Services include export and deletion tools that Customer can use directly. If Island Pitch receives a request directly from a Data Subject, Island Pitch will, where lawful, refer the Data Subject to Customer.

9. Data Breach Notification

Island Pitch will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Data within Island Pitch's custody. Notice will include, to the extent then known: the nature of the breach; categories and approximate number of Data Subjects and records concerned; likely consequences; and measures taken or proposed. Island Pitch's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.

10. Data Protection Impact Assessment

Island Pitch will provide Customer with reasonable cooperation and assistance, taking into account the nature of the processing and information available to Island Pitch, in connection with Customer's data protection impact assessments and prior consultations with supervisory authorities.

11. Audits

To demonstrate compliance with this DPA, Island Pitch will, at Customer's reasonable written request and not more than once per year (except following a Personal Data Breach), make available: (a) Island Pitch's then-current SOC 2 or equivalent security report (when available); (b) responses to a security questionnaire of reasonable scope; and (c) summary information about its security program. Where these are insufficient to satisfy a documented audit obligation under Data Protection Laws, Customer may request, on reasonable advance notice and at Customer's expense, an on-site audit during business hours, conducted by Customer or an independent auditor acceptable to Island Pitch and bound by confidentiality, in a manner that does not unreasonably interfere with Island Pitch's operations or compromise the data of other customers.

12. International Transfers

Island Pitch processes Personal Data primarily in the United States. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, the transfer is governed by the SCCs (Module Two: Controller-to-Processor) and, for UK transfers, the UK Addendum, which are incorporated by reference into this DPA with the following selections:

• • Clause 7 (Docking): Optional clause applies.
• • Clause 9 (Sub-processors): Option 2 (general written authorization) applies; the time period for advance notice is thirty (30) days as set forth in Section 7 of this DPA.
• • Clause 11 (Redress): Optional independent dispute resolution does not apply.
• • Clause 17 (Governing law): The law of the Republic of Ireland.
• • Clause 18 (Forum): The courts of Ireland.
• • Annex I.A: Customer is the Data Exporter; Island Pitch is the Data Importer. Contact details are those in the Agreement.
• • Annex I.B: The categories of Data Subjects, Personal Data, and processing purposes set forth in Section 3 of this DPA.
• • Annex I.C: The competent supervisory authority is the Irish Data Protection Commission.
• • Annex II: The technical and organizational measures in Schedule 2 of this DPA.
• • Annex III: The Sub-processors in Schedule 1 of this DPA.

For UK transfers, the UK Addendum is completed as follows: Part 1 Table 1 is populated from the Agreement; Table 2 references the SCCs version published by the European Commission on 4 June 2021 (Module Two); Table 3 is populated from the Annexes referenced above; Table 4 specifies that neither the importer nor the exporter may end the UK Addendum on a change of UK Approved Addendum.

For Swiss transfers, references in the SCCs to the GDPR are deemed to include the Swiss FADP, references to the supervisory authority include the Swiss Federal Data Protection and Information Commissioner, and references to a Member State include Switzerland.

13. CCPA / CPRA

To the extent Island Pitch processes Personal Information of California consumers, Island Pitch is a “Service Provider” or “Contractor” (as those terms are defined in the CCPA/CPRA). Island Pitch certifies that it understands the restrictions in Cal. Civ. Code § 1798.140 and will: (a) not sell or share Personal Information; (b) not retain, use, or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than the specific purposes described in the Agreement; (c) not combine Personal Information received from or on behalf of Customer with personal information from other sources, except as permitted under the CCPA/CPRA; and (d) notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

14. Return and Deletion of Personal Data

Following termination of the Agreement, Island Pitch will, at Customer's choice, return or delete Personal Data within thirty (30) days unless retention is required by law. Backups containing Personal Data are deleted in the ordinary course of Island Pitch's backup retention cycle (currently 30 days).

15. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability in the Agreement. Notwithstanding the foregoing, where the SCCs apply, Data Subject rights of action under the SCCs are not limited by this Section 15 to the extent such limitation is prohibited by the SCCs.

16. Conflict

In the event of a conflict between this DPA and the Agreement, this DPA prevails for matters relating to the processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail with respect to international transfers.

Schedule 1 — Sub-processors

Island Pitch may add or change Sub-processors in accordance with Section 7. Customer may subscribe to Sub-processor change notifications by emailing legal@islandpitch.com.

Schedule 2 — Technical and Organizational Measures

Access Control

• • Role-based access control with least-privilege principles for Island Pitch personnel;
• • Multi-factor authentication required for administrative access to production systems;
• • Quarterly access reviews;
• • Customer authentication via AWS Cognito with SRP and refresh-token flows; account passwords are never stored in clear text and are managed by Cognito.

Encryption

• • TLS 1.2 or higher for data in transit;
• • AWS server-side encryption (AES-256) for data at rest in S3, DynamoDB, and RDS;
• • Secrets stored in AWS Systems Manager Parameter Store using SecureString (KMS-backed) encryption;
• • Stripe webhook payload signatures verified before processing.

Network Security

• • AWS-managed VPC with private subnets for application and database tiers;
• • Security groups restrict ingress to required ports;
• • CloudFront with managed WAF rules for the marketing site and admin endpoints;
• • Routine vulnerability scanning of internet-facing endpoints.

Application Security

• • Input validation and output escaping per WordPress and OWASP guidance;
• • JWT-based API authentication with short-lived access tokens;
• • Code review prior to deployment; automated unit and integration tests;
• • Coordinated vulnerability disclosure program (security@islandpitch.com).

Operational Security

• • Centralized logging with retention sufficient to support security investigations;
• • Incident response runbook and on-call rotation for production-down incidents;
• • Background checks for personnel with production access, where permitted by law;
• • Annual security awareness training.

Business Continuity

• • Daily backups retained for 30 days for Cloud-Hosted Deployments;
• • Documented RPO of 24 hours and RTO of 8 hours;
• • Periodic restore testing.

Contact