Data Processing Agreement

Capitalised terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) or UK GDPR. "Customer" means the entity using the TeamStores.AI Service. "TeamStores.AI" means TeamStores.AI Sport, Inc. "Personal Data" means any information that identifies, or could be used to identify, a natural person.

This DPA applies whenever TeamStores.AI Processes Personal Data on behalf of Customer in connection with the Service. It is incorporated by reference into the Terms of Service.

Customer is the Controller of Customer Personal Data. TeamStores.AI is the Processor. For Personal Data we collect about Customer's own end users for security, billing, or product analytics purposes, TeamStores.AI may act as an independent Controller; that processing is governed by our Privacy Policy.

TeamStores.AI will Process Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by applicable law.

TeamStores.AI will provide reasonable assistance to enable Customer to respond to data-subject requests. Where appropriate, our self-service privacy dashboard at /me/privacy allows individuals to exercise access, deletion, and portability rights without involving Customer.

Customer authorises TeamStores.AI to engage the sub-processors listed in our public subprocessor catalog. TeamStores.AI will provide notice of new sub-processors via the catalog and will impose data-protection terms substantially equivalent to this DPA on each sub-processor.

TeamStores.AI implements technical and organisational measures appropriate to the risks, including encryption at rest and in transit, access controls and MFA, audit logging, vulnerability management, and a written incident-response plan. See our security posture page for the current control set.

TeamStores.AI will notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data breach, providing the information necessary for Customer to comply with its own notification obligations.

Upon termination of the Service, TeamStores.AI will, at Customer's option, delete or return all Personal Data in its possession within 30 days, save where retention is required by law.

Customer may request, no more than once per twelve-month period, a copy of TeamStores.AI's most recent third-party security attestation (SOC 2 Type II or equivalent) and reasonable additional information needed to demonstrate compliance.

Where Personal Data is transferred outside of the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer relies on the EU Standard Contractual Clauses (and the UK Addendum, where applicable), incorporated by reference into this DPA.

Each party's liability arising out of or in connection with this DPA is subject to the aggregate liability cap set forth in the underlying Terms of Service.

This DPA is governed by the laws of the State of Delaware, USA, except to the extent that mandatory data-protection law in another jurisdiction applies.