DATA PROCESSING AGREEMENT
This Data Processing Agreement (DPA) is entered into by and between:
Client: The grassroots football club or organisation using TeamFeePay Platform and/or Services pursuant to a Client Agreement.
TeamFeePay: The platform service provider that processes the Client Data on behalf of the Client.
This DPA governs how TeamFeePay handles and processes data provided by the Client and its Members. All defined terms are found in the Client Agreement or as below. The effective date of this DPA is 1 June 2025.
1. INSTRUCTIONS FOR DATA PROCESSING
The Client agrees to instruct TeamFeePay to process Member Data in line with the services provided through the TeamFeePay Platform and/or Services. TeamFeePay will only process Member Data in accordance with the Client’s written instructions and as necessary to perform the services agreed upon in the Client Agreement.
2. RESPONSIBILITIES OF TEAMFEEPAY
TeamFeePay agrees to:
• Only process Client Data in accordance with the Client’s reasonable, lawful, and documented instructions, as specified in the Client Agreement, this DPA, and any applicable Order Forms.
• Ensure that TeamFeePay employees and subcontractors who may be required to assist in processing Client Data are under a binding obligation to protect the confidentiality of Client Data.
• Implement and maintain appropriate technical and organisational measures to protect Client Data, including pseudonymisation and encryption, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, the ability to restore access to Client Data in a timely manner in the event of a physical or technical incident, and regularly testing, assessing, and evaluating the effectiveness of these measures.
• Provide reasonable assistance and co-operation to the Client to help them comply with obligations under Data Protection Legislation, including in the event of a Client Data breach or individual rights requests from Members.
• Provide the Client with necessary information to demonstrate compliance with this DPA and, where required by applicable Data Protection Legislation, allow the Client to audit TeamFeePay’s processing of Client Data.
• Subcontract the processing of Client Data only pursuant to a written agreement that imposes the same obligations set out in this DPA or substantially similar obligations. TeamFeePay will remain liable for the actions of subprocessors. The Client may object to a new subprocessor by notifying TeamFeePay promptly in writing within ten (10) days of notice. If the Client objects to a new subprocessor, TeamFeePay will use reasonable efforts to make available a change in services or recommend a reasonable change to avoid processing Client Data by the objected-to subprocessor.
• Adopt reasonable measures to ensure legally compliant cross-border transfers of Client Data.
• Notify the Client without undue delay of any personal data breach, including accidental, unlawful, or unauthorised destruction, disclosure, loss, alteration, or access in relation to Client Data processed on behalf of the Client.
• Upon termination or expiry of the Agreement, at the Client’s choice, delete or return in accordance with the Client Agreement.
3. DATA PROCESSING DETAILS
This is outlined in Schedule 1.
4. SECURITY MEASURES
This is outlined in Schedule 2.
5. INTERNATIONAL DATA TRANSFERS
If any Member Data is transferred outside the country where the Client is located TeamFeePay will ensure that such transfers are compliant with relevant Data Protection Legislation:
• If the Personal Data is transferred from the UK, TeamFeePay shall comply with the UK SCCs for such transfers and any onward transfer to subprocessors is compliant with the UK SCCs.
• Where Personal Data is transferred from an EU or EEA country, TeamFeePay shall execute the EU SCCs and ensure that any onward transfer to subprocessors is compliant with the EU SCCs.
Where applicable:
• Schedules 1, 2, and 3 of this DPA shall apply and be deemed to be Annexes 1, 2, and 3 of the C2P or P2P SCCs.
• The optional Docking Clause shall apply.
• General Written Authorisation shall apply to the use of subprocessors, and the time period for informing the data exporter of intended changes to the list of subprocessors shall be 30 days.
• The optional wording regarding redress shall not apply.
• The choice of law, forum, and jurisdictions shall apply as follows be the laws and courts of the country or EU Member State where the Client is established.
6. RIGHTS OF MEMBERS
Members (players, parents, staff) whose data is processed under this agreement have certain rights under Data Protection Legislation, including the right to:
• Request access to their data
• Request correction of inaccurate data
• Request deletion of their data in certain circumstances
• Object to processing of their data for certain purposes
• TeamFeePay will assist the Client in responding to any requests from Members regarding their personal data.
7. SUB-PROCESSORS
TeamFeePay may engage subprocessors to help with processing Client Data. These subprocessors will be carefully selected to meet the same high standards for data protection. The Client will be informed of any new subprocessors before they are engaged.
8. COMPLIANCE WITH LAWS
Both TeamFeePay and the Client agree to comply with all applicable Data Protection Legislation. This includes ensuring the lawful collection, processing, and protection of Member Data.
For Clients established in the United States, Schedule 4 shall apply to TeamFeePay’s processing of Client Data.
For Clients established in Australia, TeamFeePay agrees to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) in relation to processing of Australian Client Data. This includes taking reasonable steps to ensure that any third-party subprocessors comply with the APPs when processing Australian Client Data. TeamFeePay will not disclose Australian Client Data to any party outside Australia unless the Client has consented or where TeamFeePay is satisfied that the recipient country provides adequate protections for personal data.
9. TERM AND TERMINATION
This DPA will remain in effect as long as the Client uses TeamFeePay’s services. Either party may terminate the DPA upon written notice, and upon termination, TeamFeePay will either return or delete all Member Data as requested by the Client or in accordance with the terms of the Client Agreement.
10. DEFINITIONS
Client Data: This refers to any personal data that belongs to the Client’s Members (players, coaches, staff, etc.) that TeamFeePay processes as part of providing its services. This includes any data provided by the Client, such as Member names, contact information, membership status, participation in events, and more.
Personal Data: Any information relating to an identified or identifiable individual. This could include names, contact information, membership records, attendance, performance data, and other details that can be used to identify an individual.
Sub-Processor: A third-party service provider engaged by TeamFeePay to assist in processing Client Data.
Data Protection Legislation: This includes any applicable laws that protect personal data privacy, and security, including, without limitation, the UK Data Protection Act 1998, the UK GDPR, the EU General Data Protection Regulation (EU GDPR) 2016/679, the EU Privacy and Electronic Communications Directive 2002/58/EC, the Florida Privacy Protection Act (FIPA), California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and all other applicable or replacement international, regional, state, federal, or national data protection laws and regulations.
SCC’s/Standard Contractual Clauses: in respect of Personal Data processed by TeamFeePay in: (a) the EEA and/or processing EEA Personal Data, the unchanged EU Commission-approved version of the standard contractual clauses in Commission Decision 2021/914/EU (the “EU SCCs”); (b) the UK, and/or processing Personal Data to which UK Privacy Laws apply (“UK Personal Data”), the EU SCCs as modified by the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under s119A(1) of the Data Protection Act 2018 (“UK SCCs”).
SCHEDULE 1
Processing Overview / Annex 1 to the SCC (processors)
THE PARTIES
| Data Exporter (Controller) | The legal entity known as ‘Client’ that has entered into an agreement with TeamFeePay to access and use the TeamFeePay Platform and/or Services subject to the terms of a Client Agreement. |
| Data Importer (Processor) | Concept Apps Ltd (trading as TeamFeePay)
Please contact Chief Information Officer. TeamFeePay is a providing of software and services to the Data Exporter. |
PROCESSING OVERVIEW
| Categories of data subjects whose Personal Data is transferred | Client’s Members
Client’s Administrators |
| Categories of Personal Data transferred | Names, date of birth, gender, contact information (email, telephone/mobile number, home address), information about membership and membership of football regional/national associations, attendance history, performance results, squad number, emergency contacts, IP addresses and other website and device usage information, as well as any and all additional comments, notes or other information about an a member submitted by any Member and/or an Administrator. |
| Special Categories of Data transferred | TeamFeePay is instructed on behalf of the Client to process some sensitive Personal Data, such as:
• Financial and credit card data, • Government identification (passport/driving licences/birth certificates etc), • Race • Ethnicity • Health data (height, weight, shoe size, medical history, medication requirements etc) • Citizenship • Geolocation • Gender identity |
| Frequency | On a continuous basis as instructed by the Client. |
| Nature & Purpose of Processing | TeamFeePay will process Member Data to:
• Manage registrations and payments of Members • Communicate with Members regarding club events, activities, or payments • Track attendance, results, and progress • Provide other administrative support for the Client’s operations |
| Retention Period | TeamFeePay will retain the Client Data for the duration of the Client Agreement, unless instructed by the Client to return or delete the Client Data at an earlier or later date. |
| Sub-Processors | The Client authorises TeamFeePay to utilise the sub-processors set out at Schedule 3 (and additional sub-processors in accordance with the above). |
| Supervisory Authority | The data protection authority that supervises the Client (this will be the authority of the country where the Client is established). |
SCHEDULE 2
Annex III to the C2P SCCs – Technical and Organizational Measures
Description of the technical and Organizational security measures implemented by the data importer:
TeamFeePay confirms that we have already implemented, and continue to maintain, appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, particularly where data is transmitted over a network. These measures ensure that we maintain a level of security that is appropriate to the risks involved in processing and the nature, scope, context, and purposes of the processing. This includes, but is not limited to:
• Pseudonymisation and encryption of personal data.
• Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems.
• Ensuring the ability to restore access to personal data in a timely manner if a physical or technical incident occurs.
• Regularly testing and assessing the effectiveness of the security measures.
The following measures have been implemented by the data importer:
(1) A written information security programme that follows industry standards, including administrative, technical, and physical safeguards to protect personal data from unauthorised access, destruction, or modification.
(2) Adopting and implementing appropriate security policies and standards.
(3) Assigning responsibility for managing information security.
(4) Ensuring adequate personnel resources for information security.
(5) Conducting background checks on staff who will have access to personal data.
(6) Requiring employees, vendors, and others with access to personal data to sign confidentiality agreements.
(7) Providing training to employees and others with access to personal data to raise awareness of security risks and ensure compliance with data protection policies.
(8) Taking appropriate steps to prevent unauthorised access to personal data, including physical security (e.g., ID cards, alarm systems, surveillance) and logical security measures (e.g., password enforcement, firewalls, encryption, secure log-ins, virus protection).
(9) Other appropriate steps as required by the circumstances.
SCHEDULE 3
Annex III to the C2P SCCs – LIST OF SUB-PROCESSORS
The Client has authorised the use of the following sub-processors.
| Subprocessor | Services | Location | Client Data |
| Stripe
|
Payment Processing Services | UK Ireland Canada USA Australia |
Personal Data necessary to manage and process payment transactions, including:
cardholder name, email address, unique customer identifiers, transaction data (amount, date, time), merchant information, card type, location. No credit card information is stored by TeamFeePay or the Client. |
| Amazon (AWS) | Data centre hosting facilities | Ireland | All data including Personal Data. |
| CloudOrca | Outsourced customer service and support consultancy | UK | All data included within CRM systems (Salesforce) |
| Salesforce (including Heroku) | Cloud-based customer service management and communications services
Cloud-based platfrom-as-a-service |
USA | Personal Data necessary to assist TeamFeePay deliver and manage services to individual Clients, including:
Identification/contact information including first and last name, email address, contact numbers. Heroku is all data including Personal Data. |
| Front | Cloud-based customer support communication platform | UK USA |
Personal Data necessary to assist TeamFeePay in delivery customer support and communication services |
| Atlassian (JIRA) | Customer ticket management system | UK Australia |
Limited Personal Data necessary for TeamFeePay to manage customer support and software engineering services |
| Zoom | Video communications platform | US | Limited Personal Data including identification/contact information and storage of recorded meetings, demonstrations and proposals. |
SCHEDULE 4
Addendum for the Processing the Data of Clients established in United States Residents
TeamFeePay will only process the Client’s Data for the purpose of providing the agreed Services, and will not use it for any independent purposes, including for the commercial benefit of TeamFeePay or any other clients, without the Client’s prior written consent. Exceptions include activities like detecting security incidents or defending against fraud, where allowed by Data Protection Laws.
• TeamFeePay will not sell or share the Client’s Data, as defined by applicable Data Protection Legislation.
• TeamFeePay will not combine or match the Client’s Data with data from other sources, including its own data or data from third parties.
• TeamFeePay will comply with the California Privacy Rights Act (CPRA), the Florida Information Protection Act (FIPA), and will ensure the privacy protection it provides meets or exceeds the requirements of these laws.
• If TeamFeePay is unable to meet the requirements of this DPA or applicable Data Protection Laws, it will inform the Client.
• The Client has the right to take steps to ensure that TeamFeePay uses the Client’s Data in accordance with Data Protection Laws.
• The Client has the right to stop or remedy any unauthorised use of its Data by TeamFeePay upon notice.
• If the Client asks TeamFeePay to stop or limit processing sensitive information (as defined by Data Protection Laws), TeamFeePay will promptly comply.
• TeamFeePay will regularly review its security measures to ensure they are adequate to protect Client Data in line with the evolving risks to individuals’ rights and freedoms.
• TeamFeePay confirms that it understands and will comply with the obligations set out in this Schedule 4.