Back to home

Data Processing Agreement

Last updated: April 2, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between RosterPass ("Processor") and the club organization ("Controller") using the RosterPass platform.

1. Definitions

  • Data Controller: The club organization that determines the purposes and means of processing personal data through the RosterPass platform.
  • Data Processor: RosterPass, which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person, including player names, contact information, birth years, and payment records.
  • Data Subject: The individual whose personal data is processed (club members, parents, players).
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the RosterPass platform services, including:

  • Club membership and roster management
  • Team scheduling and event coordination
  • Payment collection and dues tracking
  • Communication between club members
  • Registration and onboarding workflows

3. Obligations of the Processor

RosterPass shall:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality
  • Implement appropriate technical and organizational security measures, including encryption in transit and at rest, row-level security policies, and access controls
  • Assist the Controller in responding to requests from data subjects exercising their rights
  • Delete or return all personal data to the Controller at the end of the service relationship, unless retention is required by law
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

4. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests for access, rectification, erasure, restriction, portability, and objection. The Processor will promptly notify the Controller of any data subject request received directly.

5. Sub-processors

The Controller authorizes the use of the following sub-processors:

  • Supabase (US): Database hosting, authentication, and file storage
  • Vercel (US): Application hosting and edge network delivery
  • Stripe (US): Payment processing and financial transaction handling
  • Sentry (US): Error monitoring and application performance tracking
  • Resend (US): Transactional email delivery

The Processor shall notify the Controller before engaging any new sub-processor. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.

7. Data Retention and Deletion

Personal data is retained for the duration of the service agreement. Upon termination or at the Controller's request, the Processor shall delete all personal data within 30 days, except where retention is required by applicable law. Payment transaction records may be retained as required for financial compliance.

8. International Data Transfers

All data processing occurs within the United States. If data is transferred outside the US, the Processor shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms recognized under applicable data protection law.

9. Audit Rights

The Controller may request an audit of the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice and during normal business hours. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or documentation.

10. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the RosterPass platform. Obligations regarding data deletion and confidentiality shall survive termination.

Contact

For questions about this DPA, contact us at privacy@rosterpass.com.