Data Processing Agreement
This DPA is incorporated into the Master Services Agreement (MSA) by reference per MSA Section 8.2 and is effective as of the Order Form execution date. No separate signature is required. Defined terms not defined herein have the meanings ascribed to them in the MSA.
This DPA governs all Personal Data processed by ShotPro on behalf of Dealer in connection with the ShotPro Platform, including End User data collected through digital waivers, reservations, POS transactions, memberships, and SMS communications.
Section 1 — Definitions
| Term | Definition |
|---|---|
| Controller | The entity that determines the purposes and means of processing Personal Data. Dealer is the Controller of End User data collected through Range Services. |
| Processor | The entity that processes Personal Data on behalf of the Controller. ShotPro is the Processor with respect to End User data processed through the Platform. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including CCPA and GDPR. |
| Processing | Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction. |
| Data Subject | The natural person to whom Personal Data relates. In the Platform context, Data Subjects are primarily End Users (range customers). |
| Sub-Processor | A third-party processor engaged by ShotPro to process Personal Data on ShotPro's behalf in connection with the Platform. |
| Security Incident | Any confirmed unauthorized access, acquisition, disclosure, or destruction of Personal Data processed under this DPA. |
| CCPA | The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA), and its implementing regulations. |
| GDPR | The General Data Protection Regulation (EU) 2016/679, and where applicable, the UK GDPR as retained in UK domestic law. |
| EEA | The European Economic Area, comprising EU member states plus Iceland, Liechtenstein, and Norway. |
Section 2 — Scope and Data Processing Roles
2.1 Roles of the Parties
The Parties acknowledge and agree that with respect to the processing of End User Personal Data through the Platform:
- Dealer is the Controller — Dealer determines the purposes for which End User data is collected (range operations, waiver compliance, membership management) and instructs ShotPro accordingly.
- ShotPro is the Processor — ShotPro processes Personal Data solely on Dealer's behalf, in accordance with Dealer's documented instructions and this DPA.
- With respect to ShotPro's own customer and account data (Dealer's business data), ShotPro acts as an independent Controller governed by its Privacy Policy.
2.2 Categories of Personal Data Processed
| Data Category | Examples |
|---|---|
| Identity Data | Full name, date of birth, government ID number (for age verification) |
| Contact Data | Email address, phone number, mailing address |
| Transaction Data | Purchase history, reservation records, membership status, payment confirmations |
| Waiver & Consent Data | Digital waiver signatures, date/time of execution, IP address, consent records |
| Usage Data | Platform activity logs, check-in records, session data |
| Communications Data | SMS opt-in/opt-out records, message delivery logs |
| Financial Data | Partial payment card data (last 4 digits), transaction IDs. Full card data held exclusively by ProPay, Inc. and Wells Fargo Bank, N.A. — ShotPro is not a card data custodian. |
2.3 Purposes of Processing
ShotPro processes Personal Data solely for the following purposes as instructed by Dealer:
- Facilitating End User registration, check-in, waiver execution, and reservation booking
- Processing payments and managing transaction records as merchant of record
- Delivering SMS communications authorized by End User opt-in
- Providing reporting and analytics to Dealer regarding End User activity
- Maintaining platform security, fraud prevention, and regulatory compliance
- Facilitating payment processing through ShotPro's payment facilitator arrangement with ProPay, Inc. and Wells Fargo Bank, N.A., in which Dealer participates as a sub-merchant (MSA Section 9)
- Supporting Dealer's customer service and dispute resolution obligations
Section 3 — ShotPro Processor Obligations
3.1 Instructions
ShotPro shall process Personal Data only on documented instructions from Dealer, as set forth in this DPA and the MSA. If ShotPro is required by applicable law to process Personal Data beyond Dealer's instructions, ShotPro shall notify Dealer before such processing unless prohibited by law.
3.2 Confidentiality of Processing
ShotPro shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. ShotPro shall not disclose Personal Data to any third party except as permitted under this DPA or as required by law.
3.3 Security Measures
ShotPro shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. These measures include, at minimum:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Role-based access controls limiting Personal Data access to authorized personnel only
- Multi-factor authentication for administrative access to production systems
- Regular security testing including vulnerability scanning and penetration testing
- 24/7 automated security monitoring with alerting for anomalous activity
- Employee security training and background checks for personnel with data access
- Incident response procedures aligned with the breach notification timelines in Section 5
3.4 Data Minimization
ShotPro shall collect and process only the minimum Personal Data necessary to provide the Platform services described in the MSA. ShotPro shall not process Personal Data for its own commercial purposes beyond what is expressly authorized in this DPA.
3.5 Assistance to Dealer
Taking into account the nature of the processing, ShotPro shall assist Dealer by appropriate technical and organizational measures in responding to Data Subject rights requests (Section 6), conducting data protection impact assessments, and meeting Dealer's obligations under applicable privacy laws.
Section 4 — Sub-Processors
4.1 Authorized Sub-Processors
ShotPro engages third-party sub-processors to assist in delivering the Platform, including providers of cloud infrastructure, payment processing, communications, and CRM services. All sub-processors are located in the United States. ShotPro imposes data protection obligations on each sub-processor equivalent to those in this DPA.
The complete list of ShotPro's authorized sub-processors, including vendor names, processing purposes, and data categories, is maintained as a confidential document available exclusively to verified signed Dealers upon written request.
To request the sub-processor list, active Dealers may contact: legal@shotprotechnologies.com
Subject line: Sub-Processor List Request — [Range Name] — [Order Form Date]
ShotPro will respond within five (5) business days of a verified request. The sub-processor list is provided under the confidentiality obligations of MSA Section 11 and is not authorized for further distribution.
4.2 New Sub-Processors
ShotPro shall notify active Dealers by email at least thirty (30) days before engaging any new sub-processor that will process Personal Data. Dealer may object to a new sub-processor in writing within fifteen (15) days of such notice. If the Parties cannot resolve the objection, Dealer may terminate the MSA without early termination penalty.
Section 5 — Security Incidents and Breach Notification
5.1 Detection and Assessment
ShotPro shall maintain monitoring systems designed to detect Security Incidents promptly. Upon becoming aware of a confirmed or reasonably suspected Security Incident affecting Personal Data processed under this DPA, ShotPro shall assess the nature and scope of the incident without undue delay.
5.2 Notification Timelines
| Event | Timeline | Content |
|---|---|---|
| Initial Dealer Notification | Within 48 hours of confirmed or reasonably suspected incident | Nature of incident, categories of data, estimated number of Data Subjects affected, contact point for further information |
| Updated Notification | As information becomes available | Measures taken to address and mitigate the incident, ongoing risk assessment |
| Final Report | Within 5 business days of resolution | Root cause analysis, remediation steps, preventive measures implemented |
| CCPA Notification Support | Per applicable law (generally without unreasonable delay) | ShotPro provides information necessary for Dealer to fulfill statutory notification obligations |
| GDPR Notification Support | Within 72 hours where required | ShotPro provides information necessary for Dealer to notify supervisory authorities |
5.3 Cooperation
ShotPro shall cooperate fully with Dealer in investigating any Security Incident, providing all information reasonably required for Dealer to meet its statutory notification obligations under CCPA, GDPR, and any other applicable breach notification laws. ShotPro shall not make any public statement regarding a Security Incident without Dealer's prior written consent, unless required by law.
Section 6 — Data Subject Rights
ShotPro shall, upon Dealer's written request and within a commercially reasonable time (not to exceed ten (10) business days), provide technical assistance to enable Dealer to respond to Data Subject rights requests. Supported rights include:
| Right | Applicable Law | ShotPro Assistance |
|---|---|---|
| Right to Know / Access | CCPA, GDPR Art. 15 | Export of Personal Data held for specific Data Subject |
| Right to Deletion | CCPA, GDPR Art. 17 | Deletion of Personal Data subject to legal retention requirements |
| Right to Correction | CCPA, GDPR Art. 16 | Update of inaccurate Personal Data in Platform records |
| Right to Portability | GDPR Art. 20 | Export of Personal Data in machine-readable format (CSV, JSON, or XML) via self-service dashboard or support request. Applies to data actively processed on Dealer behalf. |
| Right to Opt-Out of Sale | CCPA | Confirmation that ShotPro does not sell Personal Data |
| Right to Restrict Processing | GDPR Art. 18 | Flagging of records to pause active processing pending resolution |
ShotPro does not sell, rent, or otherwise commercially exploit End User Personal Data. Personal Data is processed solely to provide services under the MSA and this DPA. This position is consistent with CCPA's definition of 'service provider' and GDPR's definition of 'processor.'
Section 7 — Data Retention and Deletion
7.1 Retention During Term
ShotPro shall retain Personal Data for as long as necessary to provide the Platform services, and in accordance with Dealer's instructions and applicable legal requirements. Waiver records may be subject to minimum retention requirements under state firearms and liability laws; ShotPro will inform Dealer of any such requirements that affect deletion schedules.
7.2 Deletion Upon Termination
Upon termination of the MSA, ShotPro shall, within thirty (30) days of Dealer's written request, either:
- Return to Dealer all Personal Data in a portable, machine-readable format (CSV or equivalent); or
- Certifiably delete all Personal Data from ShotPro's systems and storage media, and confirm deletion in writing
ShotPro may retain Personal Data beyond this period only to the extent required by applicable law, and only for so long as legally required. Retained data shall remain subject to the confidentiality and security obligations of this DPA.
7.3 Backup Retention
Automated backups are retained for ninety (90) days. Deletion requests apply to active systems immediately; backups containing deleted data will be purged in the ordinary course of the backup rotation schedule within ninety (90) days.
Section 8 — International Data Transfers
8.1 Processing Location
ShotPro processes Personal Data primarily in the United States. ShotPro's infrastructure (AWS) and key sub-processors are U.S.-based. ShotPro does not transfer Personal Data outside the United States in the ordinary course of operations.
8.2 EEA/UK Transfers
To the extent Dealer collects Personal Data from individuals in the European Economic Area or United Kingdom (e.g., international visitors to a range), any transfer of such data to ShotPro in the United States shall be governed by the Standard Contractual Clauses (SCCs) issued by the European Commission (as applicable), incorporated herein by reference. Dealer represents that it has a lawful basis for such transfers and will notify ShotPro if EEA/UK data volumes become material.
Section 9 — Audit Rights and Compliance
9.1 ShotPro Documentation
ShotPro shall maintain records of all processing activities carried out on behalf of Dealer as required by GDPR Article 30(2) and applicable law. Such records shall include the categories of processing, sub-processors engaged, and security measures in place.
9.2 Audit Rights
Dealer may, no more than once per calendar year and upon thirty (30) days' prior written notice, request a written compliance report or audit of ShotPro's data processing activities under this DPA. ShotPro may satisfy this obligation by providing a current SOC 2 Type II report, ISO 27001 certification, or substantially equivalent third-party audit report. If Dealer requires an independent audit beyond a third-party report, the Parties shall agree on scope, timing, and cost allocation in advance.
9.3 Regulatory Cooperation
ShotPro shall reasonably cooperate with Dealer in responding to inquiries, investigations, or enforcement actions by data protection authorities relating to Processing under this DPA. Each Party shall bear its own costs in connection with regulatory cooperation unless the matter arises primarily from the other Party's breach.
Section 10 — CCPA-Specific Provisions
10.1 Service Provider Designation
For purposes of the CCPA, ShotPro acts as a Service Provider with respect to Personal Data received from Dealer. ShotPro shall not:
- Sell or share Personal Data as those terms are defined under the CCPA
- Retain, use, or disclose Personal Data for any commercial purpose other than performing services under the MSA
- Retain, use, or disclose Personal Data outside of the direct business relationship with Dealer
- Combine Personal Data received from Dealer with Personal Data received from other sources, except as permitted under CCPA regulations for service providers
10.2 Opt-Out Signal Compliance
ShotPro shall honor Global Privacy Control (GPC) signals and opt-out of sale/sharing requests to the extent technically feasible within the Platform. Dealer is responsible for configuring End User-facing privacy controls in compliance with CCPA requirements applicable to Dealer's business.
10.3 Consumer Request Assistance
ShotPro shall assist Dealer in responding to verified consumer requests under the CCPA within the timeframes specified in Section 6. ShotPro shall not disclose Personal Data in response to direct consumer requests unless specifically directed by Dealer or required by law.
Section 11 — General Provisions
11.1 Precedence. In the event of conflict between this DPA and the MSA regarding data protection obligations, this DPA controls. In all other matters, the MSA controls.
11.2 Entire Agreement. This DPA, together with the MSA and Order Form, constitutes the entire agreement between the Parties regarding the processing of Personal Data.
11.3 Amendment. ShotPro may update this DPA to reflect changes in applicable law or its processing activities upon thirty (30) days' written notice to Dealer. Continued use of the Platform following the notice period constitutes acceptance.
11.4 Liability. Each Party's liability under this DPA is subject to the limitation of liability provisions in Section 11 of the MSA, except where prohibited by applicable data protection law.
11.5 Governing Law. This DPA shall be governed by the laws of the State of Texas, consistent with the MSA, except to the extent that applicable data protection law requires otherwise.
11.6 Execution. This DPA is incorporated into the MSA by reference per MSA Section 8.2 and is effective as of the Order Form execution date. No separate signature is required.
Version History
| Version | Changes |
|---|---|
| v2026.03.02 | Aligned with MSA v2.0: updated incorporation ref to MSA §8.2, liability cap ref to MSA §11, named ProPay/Wells Fargo in Financial Data category and processing purposes, expanded data portability formats (CSV/JSON/XML), added sub-merchant purpose per MSA §9. |
| v2026.03.01 | Initial release. CCPA and GDPR scope. Sub-processor list confidential (per Section 4.1). 48-hour breach notification. SCCs for EEA/UK transfers. Incorporated into MSA by reference. |