Data Processing Agreement

1. Scope & roles

This Data Processing Agreement ("DPA") applies where Nowaitn Corporation ("Nowaitn," "we," "us") processes personal data on behalf of a customer ("you," the "Controller") in the course of providing DigitalTallyCounter.com (the "Service"). For that data, you are the Controller (or a processor acting for another controller) and we are the Processor. This DPA is incorporated into and governed by our Terms of Service and Privacy Policy; where this DPA conflicts with the Terms on the subject of data processing, this DPA controls. Terms like "controller," "processor," "personal data," "processing," and "data subject" have the meanings given in applicable data-protection law (e.g. the GDPR/UK GDPR and, for California, the CCPA/CPRA).

2. Details of processing

• Subject matter & duration: processing for the duration of your use of the Service and until data is deleted or returned as described below.
• Nature & purpose: hosting, storing, transmitting, displaying, and otherwise processing personal data as needed to provide and support the Service at your direction.
• Types of personal data: the data you choose to enter — for example names or labels, scores and counts you associate with people, account contact details, and usage data.
• Categories of data subjects: the individuals you choose to include — for example your players, students, staff, members, attendees, or other end users.

You are responsible for the personal data you submit, for having a lawful basis to provide it, and for any required notices or consents from your data subjects. You agree not to submit special-category, health, payment-card, government-issued, or other heightened-sensitivity data except as permitted under the Terms.

3. Our obligations

• Instructions. We process personal data only to provide the Service and on your documented instructions (which include your use of the Service and its settings), unless law requires otherwise — in which case we'll inform you where permitted.
• Confidentiality. Personnel authorized to process the data are bound by appropriate confidentiality obligations.
• Security. We maintain technical and organizational measures appropriate to the risk, as described in our Security & Compliance overview and Trust Center. We may update these measures provided protection is not materially reduced.
• Assistance. Taking into account the nature of the processing, we provide reasonable assistance, through appropriate measures, to help you respond to data-subject requests and meet your security, breach-notification, and impact-assessment obligations. We may charge for assistance beyond what is reasonable for a self-service product.
• Deletion / return. On termination, or on your reasonable request, we delete or return personal data, except where retention is required by law or in routine backups for a limited period.

4. Sub-processors

You give general authorization for us to engage sub-processors to help provide the Service. Our current sub-processors are listed on our Sub-processors page. We impose data-protection obligations on our sub-processors that are materially consistent with this DPA, and we remain responsible for their performance of those obligations. We may add or replace sub-processors; the Sub-processors page is the source of truth, and you may request to be notified of changes by emailing legal@digitaltallycounter.com.

5. International transfers

We operate from the United States and may process personal data in the U.S. and other countries. Where we transfer personal data subject to the GDPR/UK GDPR to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses — Module Two (controller-to-processor) where you are the controller, or Module Three (processor-to-processor) where you act as a processor — together with the UK International Data Transfer Addendum, which are incorporated by reference where applicable.

6. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and provide information reasonably available to help you meet your notification obligations. See our Incident & Breach Notification policy for how we handle incidents.

7. Audits & information

On reasonable written request (no more than once per year, except as legally required), we will make available information reasonably necessary to demonstrate compliance with this DPA, such as relevant documentation or summaries of our security measures. Any on-site or third-party audit must be agreed in advance, conducted during business hours, subject to confidentiality, at your expense, and in a manner that does not disrupt the Service or compromise other customers' data.

8. California (CCPA/CPRA)

Where the CCPA/CPRA applies and we process personal information on your behalf, we act as your service provider. We will not sell or share that personal information, will not retain, use, or disclose it except as necessary to provide the Service or as permitted by the CCPA, and will not combine it with other data except as the CCPA allows. We certify that we understand and will comply with these restrictions.

9. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Terms of Service.

10. How this DPA is entered into

This DPA is effective and binding upon your acceptance of the Terms; no signature is required. If your organization needs a counter-signed copy or a negotiated agreement, contact legal@digitaltallycounter.com.