HeadCoach Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of the Terms of Service between HeadCoach App Ltd. (“HeadCoach”, “we”, “us”) and the customer organisation that has subscribed to the Service (the “Customer” or “you”). It applies whenever HeadCoach processes personal data on behalf of the Customer in the course of providing the Service.

For the purposes of this DPA: HeadCoach acts as the processor; the Customer acts as the controller. Where this DPA conflicts with the Terms of Service or the Privacy Policy on a data-protection matter, this DPA controls.

No signature is required to make this DPA binding. By subscribing to the Service as a Customer Organisation, the Customer accepts this DPA on the same basis as it accepts the Terms of Service.

Words capitalised in this DPA have the meaning given to them in the Terms of Service. In addition:

• “Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where it applies), and any other privacy or data protection law that applies to the processing of personal data under this DPA.
• “Customer Personal Data” means personal data that HeadCoach processes on behalf of the Customer in the course of providing the Service, as described in Annex 1.
• “Data Subject”, “personal data”, “processing”, “controller”, “processor”, “sub-processor”, and “personal data breach” have the meanings given to them in Applicable Data Protection Law.
• “Sub-processor” means any third party engaged by HeadCoach to process Customer Personal Data on our behalf.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), Module 2 (controller to processor), as amended for UK transfers by the UK Information Commissioner’s International Data Transfer Addendum.

• The Customer is the controller of the Customer Personal Data. The Customer is responsible for the lawfulness of the processing it instructs HeadCoach to carry out, including for obtaining any consents required from athletes, parents, or guardians.
• HeadCoach is the processor in respect of the Customer Personal Data. We will process it only on the Customer’s documented instructions, as set out in this DPA, the Terms of Service, the Privacy Policy, and any further written instructions the Customer gives us.
• Where HeadCoach acts as a controller of personal data in its own right (for example, in respect of account administrators’ contact details, billing data, or aggregated analytics derived from de-identified data), the Privacy Policy applies and this DPA does not.
• The subject matter, duration, nature, purpose, and types of personal data and categories of Data Subjects are described in Annex 1.

• HeadCoach will process Customer Personal Data only on the Customer’s documented instructions, including with regard to transfers of personal data to third countries.
• The Customer’s use of the Service, configured in accordance with the Service’s functionality and the Documentation, constitutes the Customer’s documented instructions to HeadCoach.
• HeadCoach will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law.
• Where Applicable Data Protection Law requires HeadCoach to process Customer Personal Data otherwise than on the Customer’s instructions, we will inform the Customer of that legal requirement before the processing, unless the law prohibits us from doing so on important grounds of public interest.

HeadCoach will ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether by contract, professional duty, or otherwise) and have received appropriate training on their data protection obligations.

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the risks to Data Subjects, HeadCoach will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

A summary of the technical and organisational measures we maintain is set out in Annex 2.

• The Customer authorises HeadCoach to engage the sub-processors listed in Annex 3 to process Customer Personal Data in connection with the Service.
• We will impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA.
• We remain responsible to the Customer for the performance of any sub-processor we engage.
• Where we propose to engage a new sub-processor or replace an existing one, we will notify the Customer at least 30 days in advance by updating the sub-processor list at /sub-processors and (where the Customer has opted in) by email.
• The Customer may object to the appointment of a new sub-processor on reasonable data protection grounds within 30 days of the notice. If the Customer objects, the parties will work together in good faith to find a workable resolution. If no resolution is reached, the Customer may terminate the affected part of the Service on written notice and receive a pro-rata refund of any prepaid fees for the unused period.

HeadCoach hosts the Service infrastructure on Amazon Web Services in the United States and engages sub-processors located in the United States and other countries as set out in Annex 3. Where Customer Personal Data is transferred from the United Kingdom or the European Economic Area to a country that has not been recognised by the relevant authority as providing an adequate level of data protection, the parties agree that:

• The Standard Contractual Clauses (Module 2 — controller to processor), together with the UK International Data Transfer Addendum where the transfer is from the United Kingdom, are incorporated into this DPA by reference and apply to such transfer. The Customer is the “data exporter” and HeadCoach is the “data importer”.
• Where a sub-processor is certified under the EU–US Data Privacy Framework (or its UK Extension) and the relevant transfer falls within that certification, transfers may be made in reliance on that framework instead of the SCCs.
• Annex 1 sets out the information required for the SCCs (categories of data, frequency of transfer, retention, etc.). Annex 2 sets out the technical and organisational measures.
• The optional clauses in the SCCs are agreed as follows: Clause 7 (docking) does not apply; Clause 9(a) Option 2 (general written authorisation) applies, with notice in line with section 7 above; Clause 11(a) (independent dispute resolution body) does not apply; Clause 17 (governing law) — the law of Northern Ireland; Clause 18 (forum and jurisdiction) — the courts of Northern Ireland.

• Taking into account the nature of the processing, HeadCoach will assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer’s obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law.
• If we receive a request directly from a Data Subject in respect of Customer Personal Data, we will, without undue delay, forward the request to the Customer or instruct the Data Subject to make their request to the Customer.
• We will not respond to a Data Subject request directly, except on the Customer’s instructions or as required by law.

• HeadCoach will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer Personal Data.
• The notification will, at a minimum, describe the nature of the breach, the categories and approximate number of Data Subjects and personal data records concerned, the likely consequences of the breach, and the measures we have taken or propose to take to address it.
• We will assist the Customer in meeting its own breach-notification obligations to supervisory authorities and Data Subjects under Applicable Data Protection Law.

Taking into account the nature of the processing and the information available to us, HeadCoach will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Articles 35 and 36 of the UK GDPR or EU GDPR.

• HeadCoach will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR (or its EU equivalent), and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
• To minimise disruption to the Service and to other customers, audits will be carried out (i) on at least 30 days’ written notice; (ii) no more than once in any 12-month period (except where required by a supervisory authority or following a confirmed personal data breach); (iii) during normal business hours; and (iv) at the Customer’s expense.
• Where available, HeadCoach may satisfy this obligation by providing the Customer with a recent independent third-party audit report (such as a SOC 2, ISO 27001, or similar report) covering the relevant aspects of the Service.

On termination or expiry of the Service, and at the Customer’s choice, HeadCoach will delete or return all Customer Personal Data to the Customer and delete existing copies, unless Applicable Data Protection Law requires storage of the personal data.

Where the Customer does not specify a choice within 30 days of termination, HeadCoach will delete the Customer Personal Data in accordance with the retention timescales in section 12 of the Privacy Policy.

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes liability for any matter that cannot lawfully be limited or excluded.

This DPA takes effect when the Customer first subscribes to the Service and continues for as long as HeadCoach processes Customer Personal Data on behalf of the Customer. The provisions of this DPA that by their nature are intended to survive termination (including this section, sections 5, 8, 12, 13, and 14, and Annex 2) will so survive.

• Order of precedence — In case of conflict between this DPA and the Terms of Service or Privacy Policy on a data-protection matter, this DPA prevails. In case of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail in respect of the international transfer to which they apply.
• Updates — HeadCoach may update this DPA from time to time to reflect changes in our Service, our sub-processor list, or Applicable Data Protection Law. We will notify Customers of material changes in line with section 7.
• Governing law and jurisdiction — As set out in section 18 of the Terms of Service.
• Contact — Questions about this DPA can be sent to hello@headcoachapp.com.

Subject matter and duration

HeadCoach processes Customer Personal Data for as long as the Customer subscribes to the Service, plus the limited period thereafter described in section 13 (Return or deletion) and in section 12 of the Privacy Policy.

Nature and purpose of the processing

Provision of the HeadCoach mental performance app to the Customer’s athletes and coaches, including: account creation and authentication; daily check-ins; EQ skills assessment and program delivery; habit tracking; strategy delivery; Weekly Wrap; team-facing features (Team Hub, Leaderboard); push notifications; AI-augmented features (insight generation, profile question selection, AI agent); customer support; and aggregated, de-identified team-level analytics shared with the Customer.

Categories of Data Subjects

• Athletes (the Customer’s players or members) aged 13 and over.
• Coaches (the Customer’s coaching staff) using the Service.
• Account administrators acting on behalf of the Customer.

Categories of personal data

• Identity and account data — name, date of birth, gender, sport, position, profile photo, email address, authentication identifiers.
• Performance and wellbeing data, including special category data — mood selections, body battery, free-text reflections, EQ assessment answers, EQ skill profile, habit data, strategy completion, Weekly Wrap inputs, AI agent messages, voice-transcribed text.
• Usage and technical data — device type and identifier, OS, app version, language, time zone, IP address, push notification token, usage logs.
• Subscription and billing metadata — subscription status, plan, renewal dates, transaction reference (we do not see card numbers).

Frequency of the processing

Continuous, while the Customer is subscribed to the Service.

Retention

As set out in section 12 of the Privacy Policy and section 13 of this DPA.

Restricted transfers

Transfers from the United Kingdom and (where applicable) the European Economic Area to the United States, governed by the Standard Contractual Clauses (Module 2) and, for UK transfers, the UK International Data Transfer Addendum, except where a sub-processor is certified under the EU–US Data Privacy Framework or its UK Extension and the transfer falls within that certification.

HeadCoach maintains the following technical and organisational measures to protect Customer Personal Data.

Access control

• Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
• We follow the principle of least privilege — staff are granted only the access they need for their role, reviewed periodically.
• User-facing authentication uses Firebase Authentication, with support for Apple Sign-In and Google Sign-In.

Encryption

• Data in transit between the app and our backend is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using the encryption-at-rest features of our hosting platform (AWS) and storage providers.

Network and infrastructure security

• Production systems are hosted on Amazon Web Services in the United States, in a region with isolated VPC networking.
• Network access to production resources is restricted via security groups and firewall rules.
• Critical services are monitored continuously; we receive automated alerts on anomalous behaviour.

Application security

• Authentication tokens are time-bound and rotated.
• Sensitive endpoints are protected against common web application attacks (e.g. injection, broken authentication) following OWASP Top 10 guidance.
• Code changes are reviewed by a second engineer before merging to the main branch.

Personnel

• All personnel are bound by written confidentiality obligations.
• Personnel receive training on data protection and information security on joining and at appropriate intervals thereafter.
• Access for departing personnel is revoked promptly on termination.

Sub-processor management

• We maintain a current list of sub-processors at /sub-processors.
• Each sub-processor is engaged under a written contract that imposes data protection obligations no less protective than those in this DPA.

Backups and resilience

• We maintain regular automated backups of Customer Personal Data, encrypted at rest.
• Backups are rotated on a defined schedule.

Incident response

• We maintain a documented incident response process covering detection, containment, eradication, recovery, and post-incident review.
• We notify Customers of personal data breaches in accordance with section 10 of this DPA.

The Customer authorises HeadCoach to engage the following sub-processors. The current list is also published at /sub-processors.