Data Processing Agreement
Last updated: April 7, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the entity identified as the tenant operator ("Controller") and Nerd Dawg Sports LLC, DBA PickEm Engagement ("Processor") for the provision of the PickEm Engagement platform (the "Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Service.
1. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings ascribed to them in the GDPR or the underlying service agreement.
- "Controller" means the tenant operator that determines the purposes and means of the processing of Personal Data through its use of the Service.
- "Processor" means PickEm Engagement LLC, which processes Personal Data on behalf of the Controller in the course of providing the Service.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including but not limited to players, league members, and administrators within the Controller's tenant.
- "Personal Data" means any information relating to a Data Subject as defined by Article 4(1) of the GDPR, including names, email addresses, hashed passwords, IP addresses, pick history, leaderboard data, and payment information.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Sub-Processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
2. Scope and Purpose of Processing
The Processor shall process Personal Data solely for the purpose of providing the Service to the Controller, as described in the underlying service agreement. The nature and purpose of processing includes:
- Account management: creation and maintenance of user accounts, including storage of names, email addresses, hashed passwords, and authentication tokens.
- Platform operations: recording and processing of player picks, survivor selections, tiebreaker predictions, and parlay bets within the Controller's leagues and seasons.
- Scoring and settlement: computation of leaderboard rankings, wallet balances, and settlement outcomes based on confirmed game results.
- Communications: delivery of transactional and lifecycle notifications, including email invitations, slate reminders, and settlement summaries.
- Payment processing: facilitation of subscription billing and payment collection through Stripe on behalf of the Controller.
- Analytics and reporting: generation of aggregated usage metrics and platform analytics for the Controller's administrative dashboard.
The categories of Data Subjects include players, league administrators, and tenant administrators. The duration of processing shall continue for the term of the underlying service agreement, unless otherwise specified in this DPA.
3. Processor Obligations
The Processor undertakes to:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by European Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organizational measures as set forth in Section 4 of this DPA to ensure a level of security appropriate to the risk of processing.
- Respect the conditions for engaging Sub-Processors as set forth in Section 5 of this DPA.
- Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to respond to requests for exercising Data Subject rights as set forth in Section 6 of this DPA.
- Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless European Union or Member State law requires storage of the Personal Data, as set forth in Section 8 of this DPA.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as set forth in Section 9 of this DPA.
- Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions.
4. Security Measures
The Processor shall implement and maintain the following technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage:
4.1 Technical Measures
- Encryption at rest: all Personal Data stored in the database is encrypted at rest using AES-256 encryption provided by the underlying infrastructure provider (Supabase / AWS).
- Encryption in transit: all data transmitted between clients, application servers, and database servers is encrypted using TLS 1.2 or higher. All public endpoints are served exclusively over HTTPS.
- Password hashing: user passwords are never stored in plaintext. All passwords are hashed using bcrypt with appropriate work factors, managed by Supabase Auth.
- Access controls: role-based access control (RBAC) is enforced at the application layer and database layer via Postgres Row Level Security (RLS) policies. Tenant isolation ensures that each Controller's data is accessible only to authorized users within that tenant.
- API authentication: all API endpoints require authentication via session cookies (cookie-based sessions with HttpOnly, Secure, SameSite attributes) or API keys (SHA-256 hashed, never stored in plaintext).
- Monitoring and logging: application logs, audit logs, and settlement logs are maintained to detect unauthorized access or anomalous activity. Audit logs are append-only and record all administrative mutations.
- Infrastructure security: the Service is hosted on Vercel (edge network with DDoS protection) and Supabase (managed Postgres with automated backups, point-in-time recovery, and network isolation).
4.2 Organizational Measures
- Staff training: all personnel with access to Personal Data receive appropriate training on data protection obligations, security best practices, and the terms of this DPA.
- Incident response: the Processor maintains an incident response plan that includes identification, containment, eradication, recovery, and post-incident review procedures. The plan is tested and updated periodically.
- Principle of least privilege: access to production systems and Personal Data is limited to personnel who require such access to perform their job functions. Service role credentials are restricted to server-side operations and are never exposed to client-side code.
- Vendor management: Sub-Processors are evaluated for their security posture and data protection practices prior to engagement and on an ongoing basis.
Attorney Review Required
Review and specify which security certifications (e.g., SOC 2 Type II, ISO 27001) should be referenced or committed to in this section. Consider whether the Processor should commit to obtaining specific certifications within a defined timeline.
5. Sub-Processor Management
The Controller provides general written authorization for the Processor to engage the Sub-Processors listed below. The Processor shall impose on each Sub-Processor, by way of a contract or other legal act, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures such that the processing meets the requirements of the GDPR.
| Sub-Processor | Role / Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, file storage, and serverless edge functions | United States |
| Stripe, Inc. | Payment processing, subscription billing, and financial transaction management | United States / European Union |
| Resend, Inc. | Transactional and lifecycle email delivery (invitations, notifications, password resets) | United States |
| The Odds API | Sports odds data provider for pick and betting line display | United States |
| ESPN (The Walt Disney Company) | Sports schedule and score data for game scheduling and settlement | United States |
| Vercel, Inc. | Application hosting, serverless compute, and global content delivery network | United States / Global CDN |
The Processor shall notify the Controller in writing of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall provide at least thirty (30) days' prior written notice before engaging a new Sub-Processor. If the Controller raises a reasonable objection within that notice period, the Processor shall use commercially reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable alternative. If no such alternative is available and the objection is not resolved within thirty (30) days of the Processor's receipt of the objection, either party may terminate the affected portion of the Service.
Where a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-Processor's obligations.
6. Data Subject Rights Assistance
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. In particular:
- The Processor shall promptly notify the Controller if it receives a request from a Data Subject in respect of Personal Data processed under this DPA. The Processor shall not respond to such a request directly unless authorized by the Controller or required by applicable law.
- The Processor shall provide the Controller with self-service tools within the platform (including user data export, account deletion, and data modification capabilities) to facilitate the Controller's fulfilment of Data Subject requests.
- Where the Controller requires additional assistance beyond the self-service tools, the Processor shall provide reasonable cooperation, taking into account the nature of the processing, to help the Controller respond to Data Subject requests within the timeframes prescribed by the GDPR (generally within one month of receipt).
7. Breach Notification
In the event of a Personal Data breach (as defined by Article 4(12) of the GDPR), the Processor shall:
- Notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware of the breach, providing sufficient information to allow the Controller to meet its obligations under Articles 33 and 34 of the GDPR.
- Include in such notification, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of the Processor's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
- Where it is not possible to provide all required information within the initial seventy-two (72) hour notification, the Processor shall provide the information in phases without further undue delay.
Attorney Review Required
Define the liability cap applicable to data breaches. Consider whether the liability cap should be expressed as a multiple of annual fees paid, a fixed monetary amount, or tied to insurance coverage limits. Ensure the cap is appropriate for the nature and volume of Personal Data processed.
8. Data Return and Deletion
Upon termination or expiry of the underlying service agreement, or upon the Controller's written request, the Processor shall:
- At the Controller's election, return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV export), or delete all Personal Data and existing copies, unless European Union or Member State law requires continued storage.
- Complete the return or deletion within thirty (30) days of receiving the Controller's written instruction. The Processor shall certify in writing to the Controller that it has complied with this obligation.
- Ensure that all Sub-Processors likewise delete or return the Personal Data in their possession within the same timeframe, except where retention is required by applicable law.
- Where the Processor is required by applicable law to retain any Personal Data, it shall inform the Controller of that requirement and limit its processing of such data to the purposes required by applicable law. The Processor shall maintain the confidentiality and security of such retained data until deletion.
9. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
- The Controller shall provide at least thirty (30) days' prior written notice of any audit request, unless a shorter notice period is necessitated by a supervisory authority requirement or a confirmed data breach.
- Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations. The Controller shall bear its own costs of conducting audits.
- The Processor may satisfy audit requests by providing relevant third-party audit reports, certifications, or compliance documentation, where such materials adequately address the Controller's audit objectives.
- The Processor shall promptly remediate any non-compliance identified during an audit and shall provide the Controller with evidence of remediation within a reasonable timeframe.
Attorney Review Required
Specify the frequency and scope of permitted audits (e.g., once per calendar year, limited to data protection practices). Consider whether a cap on audit costs or a provision for pooled audits among multiple Controllers is appropriate.
10. International Data Transfers
The Processor and its Sub-Processors process Personal Data primarily in the United States. Where Personal Data originating from the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR.
Such safeguards may include, but are not limited to:
- Standard Contractual Clauses ("SCCs") as adopted by the European Commission, incorporated by reference into this DPA and executed between the relevant parties.
- Binding Corporate Rules approved by the competent supervisory authority, where applicable.
- Any successor transfer mechanism recognized under EU or UK data protection law.
Where the Processor relies on SCCs, it shall conduct and document a transfer impact assessment and implement supplementary measures as necessary to ensure that the level of protection afforded to Personal Data is not undermined by the laws of the destination country.
Attorney Review Required
Determine the specific cross-border data transfer mechanism to adopt (Standard Contractual Clauses, EU-US Data Privacy Framework, or alternative). SCCs should be appended as an annex if applicable. Consider whether the EU-US Data Privacy Framework certification is available and sufficient for this purpose.
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws that govern the underlying service agreement between the Controller and the Processor, except to the extent that applicable data protection laws (including the GDPR) mandate otherwise. In the event of any conflict between this DPA and the underlying service agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data.
Nothing in this DPA shall be construed as limiting the rights of Data Subjects or the powers of supervisory authorities under the GDPR or any other applicable data protection legislation.
To request a countersigned copy of this DPA, please contact legal@pickemengagement.com.