Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into between ShotPro Technologies, Inc. (“Processor”) and the Dealer (“Controller”), as defined in the Master Services Agreement (“MSA”). This DPA forms part of the MSA and governs the processing of Personal Data by Processor on behalf of Controller.

Definitions

Terms like “Personal Data,” “Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings given in the GDPR, CCPA, or equivalent laws.

Scope and Roles

2.1 Controller determines the purposes and means of Processing Personal Data. Processor processes Personal Data only on documented instructions from Controller, including for Platform services.

2.2 Types of Personal Data: Names, contact details, birth dates, payment info, usage data.

2.3 Categories of Data Subjects: End Users, Dealer personnel.

2.4 Purpose: To provide Range Services, payment processing, SMS communications, analytics.

Obligations of Processor

3.1 Compliance: Processor shall comply with GDPR, CCPA, and other data protection laws. If health data (e.g., training certifications) is involved, Processor shall reference and comply with HIPAA requirements, including safeguards for protected health information (PHI).

3.2 Instructions: Process only as instructed by Controller, unless required by law (with prior notice where possible).

3.3 Confidentiality: Ensure personnel are bound by confidentiality.

3.4 Security: Implement appropriate technical and organizational measures (e.g., encryption, access controls).

3.5 Sub-Processors: Processor may engage sub-processors (e.g., Stripe for payments). List of sub-processors available upon request. Controller may object; Processor will notify of changes.

3.6 Data Subject Rights: Assist Controller with requests (e.g., access, deletion) within reasonable timelines.

3.7 Breach Notification: Notify Controller without undue delay (within 72 hours) of a Personal Data breach.

3.8 Audits: Allow audits by Controller or auditor, subject to reasonable notice.

3.9 International Transfers: Use safeguards (e.g., Standard Contractual Clauses) for transfers outside EEA/US.

3.10 Return/Deletion: At termination, return or delete Personal Data as instructed.

Obligations of Controller

4.1 Lawful Basis: Ensure lawful basis for Processing, including consents.

4.2 Instructions: Provide clear instructions.

Liability

Limited as per MSA Section 10.

Term and Termination

Aligns with MSA Term.

Governing Law

Texas law, as per MSA.

IN WITNESS WHEREOF, the Parties execute this DPA electronically as part of the MSA.

Data Subject Rights & Data Portability

RECITALS

WHEREAS, ShotPro Technologies, Inc. ("ShotPro" or "Processor") and Customer ("Controller") are parties to a Data Processing Agreement (the "DPA") governing the processing of personal data;

WHEREAS, the parties wish to amend the DPA to add explicit provisions regarding data subject rights, including the right to data portability under Article 20 of the General Data Protection Regulation ("GDPR");

NOW, THEREFORE, the parties agree to amend the DPA as follows:

1. DATA SUBJECT RIGHTS ASSISTANCE

1.1 General Obligation

ShotPro shall assist Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including but not limited to the GDPR, California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations.

1.2 Supported Data Subject Rights

ShotPro shall provide reasonable assistance to Controller in responding to Data Subject requests for:

  • Access to personal data
  • Rectification or correction of inaccurate data
  • Erasure or deletion ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Withdrawal of consent

1.3 Request Forwarding

If ShotPro receives a request directly from a Data Subject regarding personal data processed on behalf of Controller, ShotPro shall promptly (within 48 hours) forward such request to Controller and shall not respond to the Data Subject directly unless authorized by Controller or required by applicable law.

1.4 Response Timeframes

ShotPro shall provide reasonable assistance to enable Controller to respond to Data Subject requests within the timeframes required by applicable law (typically 30 days under GDPR, 45 days under CCPA). ShotPro shall use commercially reasonable efforts to provide requested information or take requested action within ten (10) business days of Controller's request for assistance.

2. DATA PORTABILITY (GDPR ARTICLE 20)

2.1 Right to Data Portability

Upon Controller's request, ShotPro shall provide Controller (or, at Controller's direction, a Data Subject) with a copy of personal data processed by ShotPro on Controller's behalf in a structured, commonly used, and machine-readable format, to the extent such data:

  • Was provided by the Data Subject to Controller;
  • Is processed by automated means; and
  • Processing is based on consent or contractual necessity.

2.2 Portable Data Categories

The following categories of personal data are available for export under the data portability right:

  • Customer/member account information (name, email, phone, address, date of birth)
  • Waiver and consent records
  • Class and range booking history
  • Purchase and transaction history
  • Communications preferences (SMS opt-in/out, email preferences)
  • Custom profile fields created by Controller
  • Visit and attendance logs

2.3 Export Formats

ShotPro shall make data available for export in one or more of the following machine-readable formats:

  • CSV (Comma-Separated Values): For tabular data such as customer lists, transaction records, and visit logs
  • JSON (JavaScript Object Notation): For structured data with nested relationships
  • PDF: For document records such as signed waivers and consent forms

2.4 Export Methods

Controller may request data export through the following methods:

(a) Self-Service Export: Controller may access the ShotPro administrative dashboard to initiate bulk data exports for individual Data Subjects or all customer records. Export function location: Settings → Data Management → Export Data.

(b) Support-Assisted Export: Controller may submit a data export request to [email protected] specifying the Data Subject(s) and desired format. ShotPro shall process such requests within ten (10) business days.

(c) API Access: For Max and XO plan customers, ShotPro provides API endpoints for programmatic data export. API documentation available at docs.shotpro.com/api/data-export.

2.5 Direct Transfer to Third Party

Where technically feasible and upon Controller's written request, ShotPro shall transmit portable data directly to another service provider designated by Controller or the Data Subject. Direct transfer requests require:

  • Written authorization from Controller identifying the receiving party;
  • Technical specifications from the receiving party (API endpoint, authentication credentials, data format requirements);
  • Secure transmission channel (HTTPS, SFTP, or equivalent encryption); and
  • Acknowledgment that ShotPro's obligation terminates upon successful transmission to the receiving party.

2.6 Limitations

The data portability right does not apply to:

  • Data inferred or derived by ShotPro (e.g., analytics, customer scores, predictions);
  • Data processed under legal bases other than consent or contract (e.g., legitimate interests);
  • Data where export would adversely affect the rights and freedoms of others;
  • ShotPro's proprietary software, algorithms, or trade secrets.

3. FEES FOR DATA SUBJECT REQUESTS

3.1 ShotPro shall provide assistance for the first two (2) data subject requests per calendar month at no additional charge as part of the subscription services.

3.2 For requests exceeding this threshold, or for requests that are manifestly unfounded or excessive (including repetitive requests), ShotPro may charge a reasonable fee based on administrative costs, not to exceed $50 per request.

3.3 ShotPro shall notify Controller of any applicable fees before processing the request.

4. DATA DELETION UPON TERMINATION

4.1 Upon termination or expiration of the services agreement, Controller may request a full data export within thirty (30) days of termination. ShotPro shall provide such export at no additional charge.

4.2 Following the 30-day export period (or upon Controller's earlier written instruction), ShotPro shall delete all personal data processed on Controller's behalf within sixty (60) days, except as required by applicable law.

4.3 ShotPro shall provide written certification of deletion upon Controller's request.

5. GENERAL PROVISIONS

5.1 Incorporation: This Amendment is incorporated into and made part of the DPA. All terms and conditions of the DPA not expressly amended hereby remain in full force and effect.

5.2 Conflict: In the event of any conflict between this Amendment and the DPA, this Amendment shall control with respect to data subject rights and data portability matters.

5.3 Governing Law: This Amendment shall be governed by the same law governing the DPA.

5.4 Effective Date: This Amendment is effective as of the date first written above and applies to all existing and future Customers bound by the DPA.