Data Processing Addendum
Last updated: May 14, 2026
This Data Processing Addendum (“DPA”) supplements the Squadz Terms of Service and applies whenever Squadz processes personal data on behalf of a customer organization (the “Controller”) that is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), or comparable data-protection law. By using Squadz to manage rosters, schedules, and communications, the Controller instructs Squadz (“Processor”) to process personal data as described below.
1. Roles
The customer organization (or coach/parent acting on behalf of an organization or athlete) is the Controller of personal data submitted to Squadz. Squadz acts as Processor and processes that personal data only on documented instructions from the Controller, including those expressed through the configuration of the service.
2. Subject Matter, Duration, Nature and Purpose
Subject matter: provision of the Squadz team-management service. Duration: for the term of the Controller's subscription plus any retention period described in the Privacy Policy. Nature and purpose: scheduling, RSVPs, messaging, roster management, attendance, file storage, and related team-coordination features.
3. Categories of Data Subjects and Personal Data
- Data subjects: coaches, administrators, parents, guardians, athletes (including minors), and other team participants.
- Categories of personal data: names, email addresses, phone numbers, dates of birth or birth years, jersey numbers, athlete positions, custom roster fields defined by the Controller, event attendance, messages, file and photo uploads, authentication identifiers, and access logs.
- Special-category data: only if the Controller chooses to store it (for example, medical notes in a custom field flagged as sensitive). Squadz applies additional access controls to fields marked sensitive but does not require their collection.
4. Processor Obligations
- Process personal data only on documented Controller instructions.
- Ensure personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Section 7).
- Assist the Controller in responding to data-subject requests through in-app endpoints (Privacy Dashboard, export, deletion).
- Notify the Controller without undue delay (and in any event within 72 hours of confirmation) after becoming aware of a personal-data breach affecting Controller data.
- On termination, delete or return personal data at the Controller's election, subject to retention required by law.
5. Sub-processors
The Controller provides general authorization for Squadz to engage the sub-processors listed below. Squadz will provide at least 14 days' advance notice of any new sub-processor (by updating this page and, on request, by email to the Controller's designated contact). The Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate the affected service.
| Sub-processor | Purpose | Location |
|---|---|---|
| Turso | Managed SQLite database hosting (primary application data store) | United States / global edge replicas |
| Cloudflare | CDN, DDoS protection, DNS, and R2 object storage for uploaded files and photos | Global edge network |
| Stripe | Payment processing for paid subscription tiers | United States |
| Resend | Transactional email delivery (event reminders, RSVP confirmations, password resets, team announcements) | United States |
| DigitalOcean | Application hosting and compute infrastructure | United States |
| Google (Identity Services) | Optional Google sign-in (OAuth) for end-user authentication | United States |
To subscribe to sub-processor change notifications, email privacy@squadz.app.
6. International Transfers
Where personal data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor), the UK International Data Transfer Addendum, or an equivalent transfer mechanism, as applicable. These clauses are incorporated by reference into this DPA.
7. Security Measures
- TLS 1.2+ for all data in transit.
- Encryption at rest provided by infrastructure sub-processors.
- Passwords hashed with bcrypt; session tokens scoped and revocable.
- Role-based access controls at the team and organization level; additional restrictions on fields flagged sensitive (e.g. medical).
- Least-privilege access for Squadz personnel; production access logged and reviewed.
- Encrypted backups with documented restore procedures and regular tests.
- Vulnerability monitoring, dependency updates, and incident response procedures.
8. Data-Subject Requests
Squadz provides self-service tools that satisfy access, portability, correction, and deletion requests: every account holder can view, export (JSON or CSV), and delete their data from the Privacy Dashboard in account settings. Squadz will assist the Controller with any request that cannot be completed through these tools.
9. Audits
On reasonable written request, and no more than once per year except where required by a supervisory authority, Squadz will make available information necessary to demonstrate compliance with this DPA, including third-party audit reports of its infrastructure providers where contractually available.
10. Contact
Privacy and data-protection inquiries: privacy@squadz.app. Customers requiring a counter-signed DPA may request one at the same address.