Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between the entity identified as "Customer" on the signature page ("Customer") and Saturday Inc., a Delaware corporation with its principal office at 8 The Green, STE A, Dover, DE 19901 ("Saturday"). This DPA supplements and forms part of the Coach Terms of Service (the "Coach Terms") and any other agreement between Customer and Saturday governing Customer's use of the Saturday Coach Portal (collectively, the "Agreement").

The parties agree as follows:

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. In this DPA:

"Controller" means the Customer, being the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data through the Saturday Coach Portal.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation), as amended, supplemented, or replaced from time to time.

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Saturday on behalf of Customer in connection with the Coach Portal, as further described in Annex 1. "Personal Data" has the meaning given to "personal data" in Article 4(1) of the GDPR.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Processing" (and its cognates "Process," "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Processor" means Saturday Inc., which Processes Personal Data on behalf of the Controller as described in this DPA.

"Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as described in Article 9 of the GDPR.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, supplemented, or replaced from time to time.

"Sub-processor" means any third party engaged by Saturday to Process Personal Data on behalf of Customer in connection with the Coach Portal.

"Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0), issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as revised under Section 18 of the Mandatory Clauses of the Addendum.

"UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. Scope and Application

2.1 This DPA applies to Saturday's Processing of Personal Data on behalf of Customer in connection with Customer's use of the Saturday Coach Portal, including athlete identity data, health and biometric data, activity data, billing data, audit data, and organization membership data.

2.2 This DPA is effective upon execution by both parties and remains in effect for the duration of Customer's Coach Portal subscription under the Agreement. Termination or expiration of the Agreement automatically terminates this DPA, subject to the obligations in Section 15 (Return or Deletion of Personal Data).

2.3 In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

2.4 This DPA does not apply to Personal Data for which Saturday is a Controller in its own right (for example, Customer account registration data or data Saturday collects for its own business purposes). Saturday's processing of such data is governed by Saturday's Website Privacy Policy and App Privacy Policy.

3. Roles and Responsibilities

3.1 Customer as Controller. Customer is the Controller of Personal Data Processed through the Coach Portal. Customer determines the purposes and means of Processing and is responsible for ensuring that its use of the Coach Portal complies with applicable data protection laws, including the GDPR.

3.2 Saturday as Processor. Saturday is the Processor of Personal Data and shall Process Personal Data only on behalf of and in accordance with Customer's documented instructions. Saturday shall not Process Personal Data for any purpose other than providing, securing, and monitoring the Coach Portal service as described in this DPA, the Agreement, and Customer's documented instructions.

3.3 Documented Instructions. Customer's instructions to Saturday regarding the Processing of Personal Data are documented in: (a) the Coach Terms of Service; (b) the Coach Privacy Policy; (c) this DPA; and (d) any written addenda or amendments agreed and signed by both parties. Saturday shall promptly inform Customer if, in Saturday's opinion, an instruction from Customer infringes the GDPR or other applicable data protection law.

3.4 Processing Outside Instructions. Saturday shall not Process Personal Data outside Customer's documented instructions unless required to do so by applicable law to which Saturday is subject. In such a case, Saturday shall inform Customer of that legal requirement before Processing, unless the law prohibits such notification on important grounds of public interest.

4. Description of Processing

In accordance with Article 28(3) of the GDPR, the following details describe the Processing carried out under this DPA:

• Subject Matter: The provision of the Saturday Coach Portal, enabling coaches and organizations to manage athlete relationships, view compliance data, process billing through Stripe Connect, generate organizational analytics, and maintain audit logs of administrative actions.
• Duration: For the term of Customer's Coach Portal subscription under the Agreement, plus any post-termination retention periods specified in Section 15.
• Nature and Purpose: Storage, retrieval, display, organization, structuring, adaptation, transmission, and erasure of Personal Data as necessary to provide the Coach Portal service, including athlete roster management, compliance monitoring, billing operations, audit logging, impersonation for support purposes, and communication facilitation.
• Categories of Personal Data: As described in Section 5 (Data Categories) and Annex 1.
• Categories of Data Subjects: Athletes (end users of the Saturday app who have consented to coach access); coaches (individual coaching professionals); coach organization members (administrators, assistant coaches, billing administrators, read-only coaches); and Saturday staff (when exercising impersonation for support or administrative purposes).
• Special Categories: Health data and biometric data (athlete activity data, sport type, duration, and compliance metrics may constitute health-related data under Article 9 of the GDPR). Customer is responsible for ensuring a lawful basis under Article 9(2) for the Processing of any Special Categories of Personal Data.

5. Data Categories

The following table describes the categories of Personal Data Processed through the Coach Portal and the applicable retention periods:

Category	Data Elements	Retention Period
Identity	Display name, email address, Firebase UID	Duration of account + 30 days
Relationship	Coach-athlete link, organization membership, assigned roles (9 defined roles), consent timestamps, consent source, per-relationship ACL permissions	Duration of relationship + 90 days
Compliance	Activity recency indicators (red/yellow/green status), activity count, days since last activity	Real-time computed; not stored persistently
Activity	Sport type, duration, date of activity	Duration of account + 30 days
Billing	Charge amounts, billing arrangement terms, payment status, platform fees, Stripe customer identifiers, subscription metadata	7 years (financial and tax regulation)
Audit	Administrative actions (40+ action types), impersonation events with justification, actor UID, target UID, IP address, user agent, timestamps, before/after state snapshots	Indefinite (retained under Article 17(3)(e) GDPR: establishment, exercise, or defense of legal claims)
Organization	Organization name, hierarchy (parent/child), member roster, member roles, owner UID, dissolution status	Duration of organization + 90 days

6. Sub-processors

6.1 Authorized Sub-processors. Customer provides general written authorization for Saturday to engage the Sub-processors listed in Annex 2. As of the effective date, Saturday uses the following Sub-processors for Coach Portal data:

Sub-processor	Purpose	Location
Google Cloud Platform (Firebase, Firestore, Cloud Functions, Cloud Secret Manager)	Data storage, authentication, serverless compute, secrets management	United States (us-central1)
Stripe, Inc.	Payment processing (Stripe Connect for coach billing, subscription management)	United States
Brevo (Sendinblue SAS)	Transactional email (invitation notifications, impersonation notifications)	European Union
Klaviyo, Inc.	Marketing email and lifecycle communications	United States
Cloudflare, Inc.	CDN, DNS, DDoS protection, edge hosting of Coach Portal frontend	Global edge network

6.2 Notification of Changes. Saturday shall provide Customer with at least thirty (30) days' prior written notice before engaging a new Sub-processor or replacing an existing Sub-processor. The notice shall identify the Sub-processor, describe the Processing to be performed, and state the Sub-processor's location.

6.3 Objection Right. Customer may object to a new or replacement Sub-processor by notifying Saturday in writing within fourteen (14) days of receiving notice under Section 6.2. The objection must state reasonable grounds relating to data protection. Saturday shall use commercially reasonable efforts to make available to Customer a change in the Coach Portal or recommend a commercially reasonable alternative to avoid Processing of Personal Data by the objected-to Sub-processor. If Saturday is unable to accommodate Customer's objection within thirty (30) days of receiving it, Customer may terminate the Coach Portal subscription upon written notice to Saturday, and Saturday shall provide a prorated refund of any unused prepaid fees.

6.4 Sub-processor Obligations. Saturday shall: (a) impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA; and (b) remain fully liable to Customer for the performance of each Sub-processor's obligations.

7. Security Measures

In accordance with Article 28(3)(c) and Article 32 of the GDPR, Saturday implements and maintains the following technical and organizational measures to protect Personal Data. These measures are further detailed in Annex 3.

7.1 Encryption

• In transit: All API and web traffic is encrypted using TLS 1.3.
• At rest: All data at rest is encrypted using AES-256 via Google Cloud Platform default encryption.

7.2 Access Control

• Database-level scoping: Firestore Security Rules enforce per-document access control. Coach access is limited to athletes within the coach's active roster. Security rules validate the coach-athlete relationship status before granting read or write access.
• Role-based access control (RBAC): Nine (9) defined roles with twenty-three (23) discrete permissions govern access to Coach Portal functions. Permission resolution is enforced at the API middleware layer, returning HTTP 403 on unauthorized requests.
• Need-to-know principle: Saturday personnel access Personal Data only as necessary to perform their duties, subject to written confidentiality obligations.

7.3 Audit Logging

• All administrative actions, impersonation events, and data access operations are recorded in an append-only audit log. Audit log entries are never updated or deleted.
• Each audit entry records: actor identity, action type (40+ defined actions), target, before/after state, IP address, user agent, and timestamp.

7.4 Impersonation Controls

• Administrative impersonation sessions are limited to thirty (30) minutes and require a written justification.
• Impersonation events are logged in the audit trail and trigger notification to the impersonated user.
• Only users with the PermImpersonate permission (organization administrators, head coaches, and Saturday staff) may initiate impersonation.

7.5 Authentication

• Authentication is managed through Firebase Authentication.
• Multi-factor authentication (MFA) is available for all users and may be enforced at the organization level for Enterprise tier customers, with configurable grace periods and allowed methods (TOTP, SMS).

7.6 Organizational Measures

• Saturday personnel with access to Personal Data are bound by written confidentiality obligations.
• Saturday conducts periodic vulnerability assessments of the Coach Portal infrastructure.
• Saturday maintains an incident response procedure, including the breach notification process described in Section 11.
• Saturday performs an annual security review of its technical and organizational measures.

8. Confidentiality

8.1 Saturday shall ensure that any person authorized to Process Personal Data on its behalf has committed to confidentiality obligations or is under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) of the GDPR.

8.2 Saturday shall not disclose Personal Data to any third party except: (a) as necessary to provide the Coach Portal service through authorized Sub-processors listed in Annex 2; (b) as required by applicable law, regulation, or binding order of a court or governmental authority; or (c) as expressly authorized by Customer in writing.

8.3 If Saturday receives a legally binding request from a public authority for disclosure of Personal Data, Saturday shall promptly notify Customer of such request before making any disclosure, unless prohibited by law from doing so. Saturday shall use reasonable efforts to redirect the authority to request the data directly from Customer.

9. Sub-processor Engagement

9.1 In accordance with Article 28(2) and 28(4) of the GDPR, Saturday shall not engage a Sub-processor without Customer's prior general written authorization, which Customer grants under Section 6.1, subject to the notification and objection mechanism in Sections 6.2 and 6.3.

9.2 Saturday shall impose on each Sub-processor, by way of a written contract in accordance with Article 28(4) of the GDPR, data protection obligations that are substantively equivalent to those imposed on Saturday under this DPA, including obligations regarding confidentiality, security measures, international data transfers, and cooperation with the Controller and Supervisory Authorities.

9.3 Saturday remains fully liable to Customer for the acts and omissions of its Sub-processors to the same extent that Saturday would be liable if performing the Processing directly.

9.4 Upon Customer's written request, Saturday shall provide Customer with a copy of a Sub-processor agreement (which may be redacted to remove commercially sensitive information not relevant to data protection) to enable Customer to verify compliance with this Section.

10. Data Subject Rights Assistance

10.1 In accordance with Article 28(3)(e) of the GDPR, Saturday shall assist Customer, by appropriate technical and organizational measures and taking into account the nature of the Processing, in fulfilling Customer's obligations to respond to Data Subject requests to exercise their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, data portability, restriction of Processing, and objection.

10.2 Saturday shall respond to Customer's requests for assistance under this Section within five (5) business days. Assistance includes: providing athlete data exports, executing data deletion upon account termination (immediate access removal followed by a 30-day data purge), correcting data upon Customer notification, and restricting Processing as directed.

10.3 If Saturday receives a request directly from a Data Subject in relation to Personal Data Processed under this DPA, Saturday shall promptly redirect the Data Subject to Customer or, where appropriate and with Customer's prior written authorization, fulfill the request on Customer's behalf. Saturday shall not respond to a Data Subject request directly without Customer's authorization, except to inform the Data Subject that the request has been referred to Customer.

10.4 The Coach Portal provides a privacy request interface through which Customer may submit access, export, and deletion requests on behalf of Data Subjects, with a thirty (30) day service level for fulfillment.

11. Personal Data Breach Notification

11.1 In accordance with Article 28(3)(f) of the GDPR, Saturday shall notify Customer of a Personal Data Breach without undue delay and in any event within seventy-two (72) hours after becoming aware of the breach.

11.2 The notification shall include, to the extent reasonably available at the time of notification:

1. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected;
2. The name and contact details of Saturday's point of contact from whom further information may be obtained;
3. A description of the likely consequences of the Personal Data Breach; and
4. A description of the measures taken or proposed to be taken by Saturday to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

11.3 Where it is not possible to provide all information at the same time, Saturday shall provide the information in phases without further undue delay.

11.4 Saturday shall cooperate with and assist Customer in relation to any investigation, mitigation, and remediation of the Personal Data Breach, and in Customer's compliance with its obligations under Articles 33 and 34 of the GDPR.

11.5 Saturday's notification of or response to a Personal Data Breach under this Section shall not be construed as an acknowledgment by Saturday of any fault or liability with respect to the breach.

12. Data Protection Impact Assessment Assistance

12.1 In accordance with Article 28(3)(f) of the GDPR, Saturday shall provide reasonable assistance to Customer in conducting data protection impact assessments ("DPIAs") under Article 35 of the GDPR and, where applicable, in consulting with the relevant Supervisory Authority under Article 36 of the GDPR, in each case solely in relation to Processing of Personal Data under this DPA and taking into account the nature of the Processing and the information available to Saturday.

12.2 Saturday shall make available to Customer such information about the Coach Portal's Processing activities as is reasonably necessary for Customer to carry out a DPIA, including descriptions of the technical and organizational measures set out in Section 7 and Annex 3.

13. Audit Rights

13.1 In accordance with Article 28(3)(h) of the GDPR, Saturday shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

13.2 Customer may conduct one (1) audit per twelve (12) month period. Audits shall be conducted: (a) at Customer's expense; (b) during Saturday's normal business hours; (c) with at least thirty (30) days' prior written notice to Saturday; and (d) in a manner that does not unreasonably disrupt Saturday's operations.

13.3 Saturday may satisfy Customer's audit request by providing copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports, ISO 27001 certifications, or equivalent) that cover the Processing activities under this DPA. If such reports do not adequately address Customer's reasonable concerns, Customer retains the right to conduct a direct audit under Section 13.2.

13.4 The auditor mandated by Customer shall be bound by written confidentiality obligations and shall not be a competitor of Saturday. Customer shall provide Saturday with the identity of the auditor prior to the audit.

13.5 If an audit reveals material non-compliance with this DPA, Saturday shall promptly remediate the non-compliance at its own expense and notify Customer of the remediation measures taken.

14. International Data Transfers

14.1 Data Location. Saturday stores Personal Data primarily in Google Cloud's us-central1 region in the United States. Certain Sub-processors (Brevo) store data in the European Union, and certain Sub-processors (Cloudflare) process data across a global edge network.

14.2 Transfer Mechanism — EEA. To the extent that Personal Data is transferred from the EEA to the United States or any other country not subject to an adequacy decision by the European Commission, the parties agree that the 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), are incorporated into this DPA by reference and apply to such transfers. For the purposes of the SCCs:

• The "data exporter" is the Customer (Controller);
• The "data importer" is Saturday (Processor);
• Clause 7 (Docking Clause): The optional docking clause applies, permitting additional entities to accede to the SCCs;
• Clause 9(a) (Sub-processors): Option 2 (General Written Authorization) applies, with thirty (30) days' prior notice of any intended addition or replacement of Sub-processors;
• Clause 17 (Governing Law): The SCCs shall be governed by the law of Ireland;
• Clause 18 (Choice of Forum and Jurisdiction): Disputes arising from the SCCs shall be resolved before the courts of Ireland;
• Annex I.A (List of Parties), Annex I.B (Description of Transfer), and Annex I.C (Competent Supervisory Authority) are completed in Annex 1 of this DPA;
• Annex II (Technical and Organizational Measures) is completed in Annex 3 of this DPA;
• Annex III (List of Sub-processors) is completed in Annex 2 of this DPA.

14.3 Transfer Mechanism — United Kingdom. To the extent that Personal Data is transferred from the United Kingdom, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, issued by the ICO and laid before Parliament on 2 February 2022, as revised under Section 18 of those Mandatory Clauses) applies to such transfers and is incorporated into this DPA by reference. The information required by Table 1 to Table 4 of the UK Addendum is as set out in the SCCs incorporated under Section 14.2, subject to the following:

• The Approved EU SCCs referenced in Table 2 are the SCCs as incorporated under Section 14.2 of this DPA, including the Appendix Information;
• Either party may end the UK Addendum in accordance with its terms;
• The UK Information Commissioner's Office is the competent supervisory authority for transfers subject to the UK GDPR.

14.4 Transfer Mechanism — Switzerland. To the extent that Personal Data is transferred from Switzerland, the SCCs incorporated under Section 14.2 apply with the following modifications: (a) references to the GDPR are interpreted as references to the Swiss Federal Act on Data Protection ("FADP") as applicable; (b) references to "Member State" are interpreted to include Switzerland; (c) references to the "competent supervisory authority" are interpreted as references to the Swiss Federal Data Protection and Information Commissioner ("FDPIC"); and (d) references to "EU," "Union," and "Member State law" are interpreted so as not to exclude Swiss data subjects from exercising their rights in their place of habitual residence in Switzerland.

14.5 Supplementary Measures. Saturday has assessed the laws and practices of the United States in accordance with the EDPB's Recommendations 01/2020 (version 2.0, adopted 18 June 2021) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Saturday implements the following supplementary measures:

• Technical measures: Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256); per-document access controls; time-limited impersonation with justification logging;
• Contractual measures: Sub-processor agreements requiring equivalent protections; commitment to challenge government access requests to the extent legally permissible; transparency regarding government access requests received (if any and to the extent legally permissible);
• Organizational measures: Need-to-know access restrictions; confidentiality obligations for all personnel; periodic security reviews; incident response procedures.

14.6 Customer Representation. Customer represents and warrants that it has the authority to transfer Personal Data to Saturday, including across international borders, and that such transfers are conducted in compliance with applicable data protection laws.

15. Return or Deletion of Personal Data

15.1 In accordance with Article 28(3)(g) of the GDPR, upon termination or expiration of the Agreement, Saturday shall, at Customer's election and written request, either: (a) return all Personal Data to Customer in a commonly used, machine-readable format; or (b) delete all Personal Data and existing copies. Saturday shall complete such return or deletion within thirty (30) days of receiving Customer's written request.

15.2 If Customer does not provide instructions within thirty (30) days of termination or expiration of the Agreement, Saturday shall delete all Personal Data in accordance with Section 15.1(b).

15.3 Exceptions. Saturday may retain Personal Data after termination to the extent required by applicable law, including:

• Billing records: Retained for seven (7) years as required by applicable financial and tax regulations;
• Audit log entries: Retained as necessary for the establishment, exercise, or defense of legal claims under Article 17(3)(e) of the GDPR;
• Data required by court order or regulatory mandate.

Saturday shall notify Customer of any such retention requirement and limit Processing of retained data to the specific legal purpose for which retention is required.

15.4 Upon completion of return or deletion, Saturday shall provide Customer with written certification of the deletion, upon written request.

15.5 Data that has been anonymized such that it no longer constitutes Personal Data within the meaning of the GDPR may be retained by Saturday without restriction.

16. Liability and Indemnity

16.1 Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement, except that such limitations shall not limit a party's liability to Data Subjects under the SCCs or applicable data protection law where such limitation is not permitted.

16.2 Each party shall indemnify and hold harmless the other party against all claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with any third-party claim resulting from the indemnifying party's breach of this DPA.

16.3 Saturday's aggregate liability for all claims arising under this DPA, whether in contract, tort, or otherwise, shall not exceed the total fees paid by Customer to Saturday under the Agreement in the twelve (12) months immediately preceding the event giving rise to the claim. This limitation does not apply to: (a) Saturday's liability under the SCCs; (b) Saturday's indemnification obligations under Section 16.2 to the extent arising from Saturday's willful misconduct or gross negligence; or (c) regulatory fines imposed directly on Customer by a Supervisory Authority, which remain Customer's sole responsibility.

17. Term and Termination

17.1 This DPA is effective as of the date of execution and shall remain in force for the duration of Customer's Coach Portal subscription under the Agreement.

17.2 Either party may terminate this DPA for material breach by providing thirty (30) days' written notice to the other party, provided that the breaching party has been given the opportunity to cure the breach within such notice period.

17.3 Termination of the Agreement (including termination of Customer's Coach Portal subscription) shall automatically terminate this DPA.

17.4 The following Sections survive termination or expiration of this DPA: Section 1 (Definitions), Section 8 (Confidentiality), Section 11 (Personal Data Breach Notification), Section 13 (Audit Rights, for a period of twelve months following termination), Section 14 (International Data Transfers, to the extent Personal Data remains in Saturday's possession), Section 15 (Return or Deletion of Personal Data), Section 16 (Liability and Indemnity), and Section 22 (Governing Law).

18. Execution

18.1 This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

18.2 Electronic signatures (including those provided through DocuSign or equivalent electronic signature services) shall have the same legal force and effect as original ink signatures.

18.3 For an executed copy of this DPA, contact Saturday at [email protected]. Electronic signing via DocuSign is available upon request.

Annex 1: Description of Processing

This Annex forms part of this DPA and satisfies the requirements of Annex I of the Standard Contractual Clauses (Module 2: Controller to Processor).

A. List of Parties

Role	Party	Details
Data Exporter (Controller)	Customer	As identified on the signature page. Activities relevant to the transfer: use of the Saturday Coach Portal to manage athlete relationships, view compliance data, and process billing.
Data Importer (Processor)	Saturday Inc.	8 The Green, STE A, Dover, DE 19901, United States. Contact: [email protected]. Activities relevant to the transfer: provision of the Coach Portal SaaS platform.

B. Description of Transfer

Field	Description
Categories of Data Subjects	Athletes (end users of the Saturday app); coaches (individual coaching professionals); organization members (administrators, assistant coaches, billing administrators, head coaches, read-only coaches); Saturday staff (when exercising impersonation).
Categories of Personal Data	Identity data (display name, email, Firebase UID); relationship data (coach-athlete links, organization membership, roles, consent records); compliance data (activity recency, activity count); activity data (sport type, duration, date); billing data (charge amounts, arrangement terms, payment status, Stripe identifiers); audit data (administrative actions, impersonation events, IP addresses, user agents, timestamps); organization data (name, hierarchy, member roster, roles).
Special Categories of Personal Data	Health data: athlete activity data (sport type, duration, and compliance metrics) may constitute health-related data under Article 9 of the GDPR. Applied restrictions and safeguards: per-document database access controls, role-based access, encryption at rest and in transit, consent-based data sharing.
Frequency of Transfer	Continuous, for the duration of the Agreement.
Nature of Processing	Collection, storage, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction.
Purpose of Processing	Provision of the Coach Portal service: athlete roster management, compliance monitoring, billing operations via Stripe Connect, organizational analytics, audit logging, administrative impersonation for support, and transactional communications.
Retention Period	As specified in Section 5 (Data Categories) of this DPA: identity data and activity data for the duration of the account plus 30 days; relationship and organization data for the duration plus 90 days; billing data for 7 years; audit data indefinitely (Article 17(3)(e) basis); compliance data computed in real time and not stored persistently.

C. Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. Where the Data Exporter is established in an EU Member State, the supervisory authority of that Member State shall be the competent authority. Where the Data Exporter is not established in an EU Member State but falls within the territorial scope of the GDPR pursuant to Article 3(2), the supervisory authority of the Member State designated by the Data Exporter on the signature page shall be the competent authority. In the absence of such designation, the Irish Data Protection Commission shall serve as the competent supervisory authority.

Annex 2: List of Sub-processors

This Annex forms part of this DPA and satisfies the requirements of Annex III of the Standard Contractual Clauses (Module 2: Controller to Processor).

Sub-processor	Address	Description of Processing	Location
Google LLC (Google Cloud Platform, Firebase, Firestore, Cloud Functions, Cloud Secret Manager)	1600 Amphitheatre Parkway, Mountain View, CA 94043, United States	Cloud infrastructure: data storage (Firestore), user authentication (Firebase Auth), serverless compute (Cloud Functions), secrets management (Cloud Secret Manager), and hosting.	United States (us-central1)
Stripe, Inc.	354 Oyster Point Blvd, South San Francisco, CA 94080, United States	Payment processing: Stripe Connect for coach-athlete billing, subscription management, charge recording, refund processing, and identity verification (KYC) for coaches.	United States
Sendinblue SAS (d/b/a Brevo)	106 boulevard Haussmann, 75008 Paris, France	Transactional email: coach invitation notifications, impersonation event notifications, and system-generated communications.	European Union (France)
Klaviyo, Inc.	125 Summer Street, Boston, MA 02110, United States	Marketing email: coach lifecycle communications, redemption code delivery, and onboarding email sequences.	United States
Cloudflare, Inc.	101 Townsend Street, San Francisco, CA 94107, United States	Content delivery, DNS resolution, DDoS protection, and edge hosting of the Coach Portal frontend application.	Global edge network

Annex 3: Technical and Organizational Measures

This Annex forms part of this DPA and satisfies the requirements of Annex II of the Standard Contractual Clauses (Module 2: Controller to Processor). The following measures describe the technical and organizational security measures implemented by Saturday (Data Importer).

Encryption of Personal Data

• All data in transit is encrypted using TLS 1.3.
• All data at rest is encrypted using AES-256 via Google Cloud Platform's default encryption. Google manages the encryption keys in accordance with Google's Key Management Service.

Confidentiality, Integrity, Availability, and Resilience

• Firestore Security Rules enforce per-document access control, scoping coach access to athletes within the coach's active roster.
• Nine (9) defined roles and twenty-three (23) discrete permissions govern application-level access.
• Google Cloud Platform provides infrastructure-level redundancy, backup, and disaster recovery capabilities.
• Saturday maintains incident response procedures for timely identification and remediation of availability disruptions.

Ability to Restore Availability and Access

• Saturday relies on Google Cloud Platform's infrastructure-level backup and recovery mechanisms, including Firestore's automatic replication across multiple availability zones.

Regular Testing and Evaluation

• Saturday conducts annual security reviews of its technical and organizational measures.
• Saturday performs periodic vulnerability assessments of the Coach Portal infrastructure.
• Saturday tests its incident response procedures to ensure readiness for Personal Data Breach scenarios.

User Identification and Authorization

• Authentication is managed through Firebase Authentication, supporting email/password, and OAuth-based sign-in.
• Multi-factor authentication (MFA) is available and enforceable per-organization for Enterprise tier customers, with configurable grace periods and allowed methods (TOTP, SMS).
• API middleware enforces role-based permissions at every endpoint, returning HTTP 403 for unauthorized access attempts.
• Session management includes session enumeration, revocation of individual sessions, and revocation of all other sessions.

Protection of Data During Transmission and Storage

• TLS 1.3 encryption for all API and web traffic between clients and Saturday's services.
• AES-256 encryption at rest for all Firestore collections, Cloud Storage objects, and other GCP storage services.
• Stripe handles payment card data in PCI-DSS-compliant infrastructure; Saturday does not store, process, or transmit cardholder data.

Physical Security of Processing Locations

• All Personal Data is stored in Google Cloud Platform data centers. Google maintains SOC 2 Type II and ISO 27001 certified physical security controls, including access restrictions, surveillance, and environmental controls.

Events Logging

• Saturday maintains an append-only audit log recording all administrative actions (40+ defined action types), impersonation events (with justification), actor identity, target, before/after state snapshots, IP address, user agent, and timestamps.
• Audit log entries are never updated or deleted.
• Google Cloud Logging captures all structured logs, including application-level and infrastructure-level events.

Data Minimization

• Compliance indicators (activity recency, activity count) are computed in real time and not stored persistently.
• Coaches cannot access athlete integration tokens (OAuth credentials for third-party services such as TrainingPeaks and Intervals.icu), biometric raw data, detailed health prescriptions, or payment credentials.

Data Retention and Deletion

• Retention periods are specified per data category in Section 5 of this DPA.
• Account deletion triggers immediate access removal and a 30-day data purge.
• Relationship revocation by an athlete immediately terminates coach access via Firestore Security Rules, with historical records retained per the applicable retention period.

Accountability

• Saturday maintains this DPA, the Coach Privacy Policy, and the Coach Terms of Service as documented records of its data protection commitments.
• Saturday's Terms of Service acceptance flow records each user's acceptance of the current ToS version, including timestamp, IP address, and user agent.

Sub-processor Security

• Each Sub-processor is contractually bound by data protection obligations substantively equivalent to those in this DPA.
• Google Cloud Platform maintains SOC 2 Type II, ISO 27001, and ISO 27017 certifications.
• Stripe maintains PCI-DSS Level 1 certification and SOC 2 Type II reports.
• Brevo maintains GDPR-compliant infrastructure within the European Union.
• Cloudflare maintains SOC 2 Type II and ISO 27001 certifications.

19. General Provisions

19.1 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous agreements, understandings, or representations regarding the same.

19.2 Amendments. This DPA may only be amended by a written instrument signed by both parties. Notwithstanding the foregoing, Saturday may update the technical and organizational measures described in Section 7 and Annex 3 from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Personal Data.

19.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

19.4 No Third-Party Beneficiaries. This DPA is for the benefit of the parties and their respective successors and permitted assigns only, except that Data Subjects are third-party beneficiaries of the SCCs as incorporated into this DPA.

19.5 Notices. All notices under this DPA shall be in writing and sent to the addresses specified in the Agreement or, for Saturday, to [email protected].

20. Cooperation with Supervisory Authorities

20.1 Saturday shall cooperate, on request, with the competent Supervisory Authority in the performance of its tasks, in accordance with Article 31 of the GDPR.

20.2 Saturday shall inform Customer promptly if it receives an inquiry, complaint, or investigation from a Supervisory Authority that relates to the Processing of Personal Data under this DPA.

21. Relationship to the Agreement

21.1 Nothing in this DPA reduces Saturday's obligations under the Agreement with respect to the protection of Personal Data or permits Saturday to Process Personal Data in a manner that would not be permitted under the Agreement.

21.2 Except for changes made by this DPA, the Agreement remains unchanged and in full force and effect.

22. Governing Law

22.1 This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions.

22.2 Notwithstanding Section 22.1, to the extent required by the SCCs, the SCCs shall be governed by and construed in accordance with the law specified in Clause 17 of the SCCs (the law of Ireland), and disputes arising under the SCCs shall be resolved before the courts specified in Clause 18 of the SCCs (the courts of Ireland).

22.3 To the extent required by the UK Addendum, the UK Addendum shall be governed by and construed in accordance with the laws of England and Wales.