This Data Processing Agreement (“DPA”) is entered into between:

• Data Controller: the club or organisation that has subscribed to ClubSentinel (“the Club”).
• Data Processor: Pin High Media / AIM Studio, the operator of ClubSentinel (“we”, “us”, “ClubSentinel”).

This DPA forms part of, and is incorporated into, the Terms of Service between the parties. In the event of a conflict, this DPA takes precedence with respect to data protection matters.

This DPA governs the processing of personal data by ClubSentinel on behalf of the Club for the purpose of providing the ClubSentinel health and safety compliance management service.

This DPA is effective from the date the Club first uses the Service and remains in force until the earlier of: termination of the subscription; or deletion of all personal data following termination.

ClubSentinel processes personal data on behalf of the Club for the following purposes:

• Storing and retrieving health and safety records entered by the Club's staff.
• Sending automated compliance alerts and notifications to designated club users.
• Providing audit trails and activity logs for regulatory purposes.
• Generating compliance reports on behalf of the Club.

We process personal data only on the documented instructions of the Club (as expressed through use of the Service features) and do not process data for our own purposes beyond what is necessary to provide the Service.

The following categories of personal data are processed under this DPA:

• Identity data: staff full names.
• Contact data: staff email addresses.
• Employment data: job titles, departments, roles within the club.
• Training records: training course names, completion dates, expiry dates, training status.
• Incident data: incident descriptions, dates, locations, persons involved, injury details, investigation notes, RIDDOR reportable information.
• DBS / safeguarding data: DBS check status, issue dates, expiry dates (where entered by the club).
• Activity log data: user actions and timestamps for audit trail purposes.

The personal data processed relates to the following categories of data subjects:

• Club staff, employees, and volunteers.
• Club members and participants, where their details are included in incident or safeguarding records.
• Third-party contractors, where their details are included in maintenance or inspection records.

ClubSentinel agrees to:

• Process personal data only on the Club's documented instructions, unless required by law to do otherwise.
• Ensure that all personnel with access to personal data are subject to appropriate confidentiality obligations.
• Implement the technical and organisational security measures described in Section 10 of this DPA.
• Not engage sub-processors without the Club's prior general or specific written authorisation (general authorisation is given in Section 7 below).
• Assist the Club in responding to data subject rights requests under UK GDPR Articles 15–22.
• Notify the Club without undue delay upon becoming aware of a personal data breach affecting the Club's data.
• At the Club's choice, delete or return all personal data on termination of the Service.
• Provide the Club with all information necessary to demonstrate compliance with this DPA.

The Club provides general authorisation for ClubSentinel to engage the following sub-processors:

We will notify the Club of any intended changes to sub-processors by updating this DPA. The Club may object to such changes within 30 days; if no objection is received, the change is deemed accepted.

ClubSentinel will provide reasonable technical assistance to help the Club fulfil its obligations to respond to data subject requests. This includes:

• Providing data export functionality so the Club can respond to access requests.
• Enabling deletion of individual user records where instructed by the Club.
• Providing audit logs to assist with accountability obligations.

The Club, as Data Controller, remains responsible for handling all data subject requests in accordance with UK GDPR.

ClubSentinel implements the following technical and organisational security measures:

• Encryption at rest: all data stored in Supabase is encrypted using AES-256.
• Encryption in transit: all data transmitted between clients and servers uses TLS 1.2 or higher (HTTPS).
• Access controls: row-level security (RLS) policies ensure strict data isolation between clubs. Users can only access data belonging to their own club.
• Authentication: secure password hashing via bcrypt; support for strong password policies.
• Role-based access: user permissions within a club are controlled by role (admin, manager, H&S officer, staff).
• Audit logging: all material changes to data are logged with user identity and timestamp.
• Backup: automatic daily backups maintained by Supabase with point-in-time recovery.
• Vulnerability management: dependencies are monitored and updated regularly.

In the event of a personal data breach affecting the Club's data, ClubSentinel will:

• Notify the Club within 72 hours of becoming aware of the breach.
• Provide details of the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences.
• Describe the measures taken or proposed to address the breach and mitigate its effects.

The Club remains responsible for notifying the ICO and affected data subjects in accordance with UK GDPR Articles 33 and 34.

Upon termination of the subscription for any reason:

• The Club's data will remain accessible for 30 days to allow export.
• After 30 days, all personal data will be permanently and irreversibly deleted from production systems.
• Backup copies may persist for up to 90 days before being purged from backup systems.
• We will provide written confirmation of deletion upon request.

The Club may, with at least 30 days' written notice and no more than once per calendar year, request an audit of ClubSentinel's data processing activities relevant to this DPA. We may satisfy audit requests by:

• Providing up-to-date certifications or third-party audit reports.
• Responding to reasonable written questionnaires.
• Facilitating an on-site audit at a mutually agreed time (costs to be borne by the Club).

Where personal data is transferred to a country outside the UK/EEA (for example, to Anthropic in the United States), such transfers are made subject to appropriate safeguards including UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs), as applicable.

This DPA is governed by the laws of England and Wales. Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.