How to execute this DPA
This is SpiralXO's standard Data Processing Agreement. Customer-specific fields are indicated in italics in Section 1 (Parties) and Section 11 (Execution) and must be completed before signing. All other terms are standard and non-negotiable. Both parties should retain a fully executed copy. This DPA is incorporated by reference into the SpiralXO subscription agreement and EU Terms and Conditions Addendum. To request a pre-completed copy or to submit a signed DPA, contact legal@spiralxo.com.
Contents
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
Data Controller
Insert full legal name of customer organization
Registered address:
Insert customer registered business address
VAT number:
Insert customer VAT identification number
Authorized representative:
Insert name and title of authorized signatory
Data Processor
FieldIQ Holdings LLC (SpiralXO)
Registered address:
30 N. Gould St., Sheridan, WY 82801, United States of America
Data protection contact:
Together referred to as “the Parties.” This DPA takes effect on the date of signature or, where incorporated by reference, on the effective date of the subscription agreement.
2. Definitions
Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679) and the EU Terms and Conditions Addendum. In addition:
- “Agreement”: The SpiralXO subscription agreement and EU Terms and Conditions Addendum between the Parties, into which this DPA is incorporated.
- “Controller Data”: Personal data submitted to or processed through SpiralXO by or on behalf of the Controller in connection with the Agreement.
- “Data Protection Laws”: The GDPR and all applicable national implementing legislation, including as retained in UK law (UK GDPR), and any successor legislation.
- “GDPR”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- “Processing”: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- “Sub-Processor”: Any third party engaged by SpiralXO (the Processor) to carry out processing activities on behalf of the Controller.
3. Subject Matter, Duration, and Nature of Processing
| Subject matter | Processing of personal data in connection with the provision of the SpiralXO football operations and coaching management platform |
| Duration | For the term of the subscription agreement, plus any applicable post-termination retention period as set out in Section 10 of this DPA |
| Nature of processing | Collection, storage, organization, structuring, retrieval, use, disclosure by transmission, and deletion of personal data through the SpiralXO platform infrastructure hosted on AWS (US regions) |
| Purpose of processing | To provide the SpiralXO platform features including team management, playbook and practice planning, player learning tools, game preparation tools, communication, and in-game analytics as described in the subscription agreement |
| Types of personal data | Organization account data; coach, staff, and player profile data (name, email, role, position, team assignment); platform usage data; communication data; football program content; billing data (processed by Stripe) |
| Categories of data subjects | Authorized users of the Controller's SpiralXO account: coaches, staff members, and players, all aged 18 or older (EU customers) |
4. Processor Obligations
4.1 Instructions
SpiralXO shall process Controller Data only on documented instructions from the Controller, including as set out in this DPA and the Agreement, unless required to do so by applicable law. SpiralXO shall immediately inform the Controller if, in its opinion, an instruction violates Data Protection Laws.
4.2 Confidentiality
SpiralXO shall ensure that persons authorized to process Controller Data are bound by appropriate confidentiality obligations and have received training on data protection requirements. Access to Controller Data is limited to personnel who need it to provide the service.
4.3 Security Measures
SpiralXO shall implement and maintain appropriate technical and organizational security measures to protect Controller Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Industry-standard encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256).
- Secure password hashing (bcrypt or equivalent). Plain-text passwords are never stored.
- Role-based access controls limiting data access to authorized personnel.
- Regular security monitoring, vulnerability scanning, and penetration testing.
- Detailed logging of administrative access and support impersonation activities.
- AWS infrastructure security controls including VPC isolation, security groups, and IAM policies.
4.4 Assistance with Data Subject Rights
SpiralXO shall, taking into account the nature of the processing and the information available, assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts SpiralXO directly with a rights request that should be addressed by the Controller, SpiralXO shall promptly forward that request to the Controller.
4.5 Assistance with Security and Breach Obligations
SpiralXO shall assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR, including:
- Notifying the Controller without undue delay (and in any event within 48 hours of becoming aware) of any personal data breach affecting Controller Data, together with all information reasonably necessary for the Controller to meet its 72-hour notification obligation to supervisory authorities under Article 33 GDPR.
- Providing reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) where required under Article 35 GDPR.
4.6 Deletion and Return of Data
Upon termination of the Agreement for any reason, SpiralXO shall, at the Controller's election:
- Delete all Controller Data from SpiralXO's systems within 90 days following the end of the 90-day post-termination grace period (i.e., within 180 days of termination); or
- Provide the Controller with a data export in a machine-readable format (CSV or JSON) within 30 days of a written export request, after which SpiralXO will delete the exported data.
Notwithstanding the above, SpiralXO may retain data where required by applicable law, for the periods set out in the EU Privacy Policy Addendum retention schedule. SpiralXO shall certify deletion in writing upon request.
4.7 Audit Rights
SpiralXO shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall:
- Give SpiralXO at least 30 days' prior written notice of any audit request.
- Conduct audits during normal business hours and in a manner that minimizes disruption to SpiralXO's operations.
- Bear the costs of any third-party auditor engaged by the Controller.
SpiralXO may satisfy audit requests by providing up-to-date third-party security audit reports or certifications (such as SOC 2 Type II, ISO 27001, or equivalent) where available and applicable.
5. Sub-Processors
5.1 General Authorization
The Controller provides general written authorization for SpiralXO to engage the sub-processors listed in Annex I to this DPA. SpiralXO shall impose data protection obligations on sub-processors equivalent to those in this DPA and shall remain liable to the Controller for the performance of sub-processors' obligations.
5.2 New Sub-Processors
SpiralXO shall notify the Controller at least 14 days before engaging any new sub-processor or replacing an existing one. The Controller may object to a new sub-processor on reasonable data protection grounds by providing written notice within 14 days of receipt of the notification. If the Controller objects and the Parties cannot resolve the objection within 30 days, either party may terminate the Agreement without penalty on 30 days' written notice.
5.3 Current Sub-Processor List (Annex I)
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure — all Controller Data is stored on AWS US-region servers | United States | EU–US DPF + 2021 SCCs |
| Stripe, Inc. | Payment processing (billing data only — does not receive football program or user content data) | United States | EU–US DPF + 2021 SCCs |
| Google LLC (Google Analytics) | Anonymized platform usage analytics. Activated only with user consent. IP anonymization enabled. | United States | 2021 SCCs |
| PostHog Inc. | Product analytics and session recording. Activated only with user consent. Sensitive input fields masked. | United States | 2021 SCCs |
| Calendly LLC | Demo scheduling (name and email of demo requestees only — not Controller Data in the strict sense) | United States | 2021 SCCs |
6. International Data Transfers
All Controller Data is stored and processed on AWS infrastructure located in the United States. SpiralXO ensures that transfers of Controller Data from the EEA to the United States and to other sub-processors are covered by appropriate transfer mechanisms, specifically:
- 2021 Standard Contractual Clauses (SCCs): The European Commission's 2021 SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA as Annex III and apply to all transfers of Controller Data to SpiralXO in the United States and to sub-processors in third countries without an adequacy decision.
- EU–US Data Privacy Framework: Where applicable sub-processors (including AWS and Stripe) are certified under the EU–US Data Privacy Framework, that adequacy mechanism also applies.
7. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis under GDPR Article 6 for providing Controller Data to SpiralXO for processing.
- It has informed data subjects about the processing of their data by SpiralXO as a sub-processor, including international transfers.
- All users of the Controller's SpiralXO account in the EU are 18 years of age or older.
- It holds a valid VAT identification number and has provided accurate details to SpiralXO.
- It will promptly notify SpiralXO of any changes to its data processing instructions that affect SpiralXO's obligations under this DPA.
8. Liability
Each Party's liability under this DPA is subject to the limitations set out in the Agreement and the EU Terms and Conditions Addendum, except that:
- Liability for wilful misconduct (Vorsatz) and gross negligence (grobe Fahrlässigkeit) is not limited or excluded, in accordance with §276 BGB and equivalent provisions of applicable EU law.
- Liability for personal injury or death caused by negligence is not limited or excluded.
- Nothing in this DPA limits any liability that cannot be excluded or capped under applicable Data Protection Laws.
9. Term and Termination
This DPA takes effect on the date of execution or, where incorporated by reference, on the effective date of the Agreement, and remains in force for the duration of the Agreement. Termination of the Agreement automatically terminates this DPA, subject to the post-termination data deletion obligations in Section 4.6.
10. Governing Law and Jurisdiction
This DPA is governed by the laws of the State of Wyoming, without regard to conflict of law principles, except where mandatory provisions of applicable EU member state law apply. The jurisdiction and dispute resolution provisions of the EU Terms and Conditions Addendum apply to this DPA.
11. Execution
By signing below, each party confirms it has read, understood, and agrees to be bound by this Data Processing Agreement.
For and on behalf of the Controller
Organization
Insert customer legal name
Name
Title
Date
Signature
For and on behalf of the Processor (SpiralXO)
Organization
FieldIQ Holdings LLC (SpiralXO)
Name
Title
Date
Signature
Version 1.0 · Last updated: January 26, 2026 · FieldIQ Holdings LLC · legal@spiralxo.com