Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into between ShotPro Technologies, Inc. (“Processor”) and the Dealer (“Controller”), as defined in the Master Services Agreement (“MSA”). This DPA forms part of the MSA and governs the processing of Personal Data by Processor on behalf of Controller.

Definitions

Terms like “Personal Data,” “Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings given in the GDPR, CCPA, or equivalent laws.

Scope and Roles

2.1 Controller determines the purposes and means of Processing Personal Data. Processor processes Personal Data only on documented instructions from Controller, including for Platform services.

2.2 Types of Personal Data: Names, contact details, birth dates, payment info, usage data.

2.3 Categories of Data Subjects: End Users, Dealer personnel.

2.4 Purpose: To provide Range Services, payment processing, SMS communications, analytics.

Obligations of Processor

3.1 Compliance: Processor shall comply with GDPR, CCPA, and other data protection laws. If health data (e.g., training certifications) is involved, Processor shall reference and comply with HIPAA requirements, including safeguards for protected health information (PHI).

3.2 Instructions: Process only as instructed by Controller, unless required by law (with prior notice where possible).

3.3 Confidentiality: Ensure personnel are bound by confidentiality.

3.4 Security: Implement appropriate technical and organizational measures (e.g., encryption, access controls).

3.5 Sub-Processors: Processor may engage sub-processors (e.g., Stripe for payments). List of sub-processors available upon request. Controller may object; Processor will notify of changes.

3.6 Data Subject Rights: Assist Controller with requests (e.g., access, deletion) within reasonable timelines.

3.7 Breach Notification: Notify Controller without undue delay (within 72 hours) of a Personal Data breach.

3.8 Audits: Allow audits by Controller or auditor, subject to reasonable notice.

3.9 International Transfers: Use safeguards (e.g., Standard Contractual Clauses) for transfers outside EEA/US.

3.10 Return/Deletion: At termination, return or delete Personal Data as instructed.

Obligations of Controller

4.1 Lawful Basis: Ensure lawful basis for Processing, including consents.

4.2 Instructions: Provide clear instructions.

Liability

Limited as per MSA Section 10.

Term and Termination

Aligns with MSA Term.

Governing Law

Texas law, as per MSA.

IN WITNESS WHEREOF, the Parties execute this DPA electronically as part of the MSA.