DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Software as a Service Agreement (“Agreement”) between ShowGrounds, LLC (“Processor”) and customers (“Controller”) dated September 8th, 2025.

1. DEFINITIONS

1.1 “Data Protection Laws” means all applicable laws relating to data protection and privacy, including without limitation the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”), and the Children’s Online Privacy Protection Act (“COPPA”).

1.2 “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller pursuant to the Agreement.

1.3 “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

1.4 “Sub-processor” means any third party engaged by Processor to process Personal Data.

1.5 “Data Subject” means the individual to whom Personal Data relates, including Exhibitors, competitors, trainers, owners, and Event staff.

2. PROCESSING OF PERSONAL DATA

2.1 Scope of Processing. Processor shall process Personal Data only to provide the Service as described in the Agreement and in accordance with Controller’s documented instructions.

2.2 Categories of Data Subjects:

  • Exhibitors and competitors (including minors)
  • Horse owners and trainers
  • Event officials and staff
  • Judges and stewards
  • Vendors and service providers
  • Other Event participants

2.3 Types of Personal Data:

  • Identity data (names, dates of birth, membership numbers)
  • Contact data (addresses, email addresses, phone numbers)
  • Competition data (entries, results, rankings, points)
  • Horse information (names, registration numbers, ownership)
  • Financial data (payment methods, transaction history)
  • Health records (vaccination certificates, Coggins tests)
  • For minors: parental/guardian information and consents

2.4 Duration. Personal Data will be processed for the duration specified in the Data Retention Schedule (Schedule B of the Agreement).

3. PROCESSOR OBLIGATIONS

3.1 Compliance. Processor shall: a) Process Personal Data in compliance with Data Protection Laws; b) Maintain records of processing activities; c) Implement appropriate technical and organizational security measures; d) Ensure personnel processing Personal Data are bound by confidentiality obligations; e) Assist Controller with data subject rights requests; f) Notify Controller of any legally binding requests for Personal Data disclosure.

3.2 Security Measures. Processor implements and maintains: a) Encryption of Personal Data in transit and at rest; b) Access controls and authentication measures; c) Regular security assessments and penetration testing; d) Secure backup and disaster recovery procedures; e) Incident detection and response protocols; f) PCI DSS compliance for payment data processing via Spreedly.

3.3 Data Breach Notification. Processor shall notify Controller without undue delay and no later than 48 hours after becoming aware of any Personal Data breach, providing: a) Nature and scope of the breach; b) Categories and number of affected Data Subjects; c) Likely consequences; d) Measures taken to address the breach.

4. SUB-PROCESSORS

4.1 Authorized Sub-processors. Controller consents to Processor’s use of the following Sub-processors:

  • Spreedly – Payment processing and tokenization
  • Amazon Web Services (AWS) – Infrastructure and data storage
  • SendGrid – Email communication services
  • AWS QuickSight – Analytics and reporting services

4.2 New Sub-processors. Processor shall: a) Notify Controller of any intended changes to Sub-processors; b) Provide Controller 30 days to object to new Sub-processors; c) Ensure Sub-processors are bound by data protection obligations no less protective than this DPA.

5. DATA SUBJECT RIGHTS

5.1 Assistance with Rights. Processor shall assist Controller in responding to Data Subject requests for: a) Access to their Personal Data; b) Rectification or erasure of Personal Data; c) Restriction of processing; d) Data portability; e) Objection to processing.

5.2 Minors’ Rights. For Data Subjects under 18, Processor shall: a) Facilitate parental/guardian access rights; b) Support parental consent mechanisms; c) Enable deletion requests from parents/guardians; d) Maintain age-appropriate privacy protections.

6. INTERNATIONAL TRANSFERS

6.1 Transfer Mechanisms. As Personal Data is transferred from the EEA to the United States, Processor ensures appropriate safeguards through: a) Standard Contractual Clauses (Module 2: Controller to Processor); b) Technical and organizational measures per Schedule 1; c) AWS’s approved transfer mechanisms and certifications; d) Other approved transfer mechanisms under Data Protection Laws.

7. AUDIT AND COMPLIANCE

7.1 Audit Rights. Controller may conduct audits of Processor’s compliance with this DPA: a) Upon reasonable notice; b) No more than once annually unless required by Data Protection Laws; c) Subject to confidentiality obligations; d) At Controller’s expense.

7.2 Certifications. Processor shall maintain and provide upon request: a) Security certifications (SOC 2 Type II upon completion); b) PCI compliance attestations; c) AWS security compliance documentation; d) Other relevant compliance documentation.

8. DATA DELETION AND RETURN

8.1 Upon Termination. Following termination of the Agreement: a) Controller acknowledges that competition data forms part of the permanent public record of equestrian sport; b) Processor shall retain all competition results, entries, placings, and related Event data as historical records; c) Processor may delete or anonymize personal contact information, payment methods, and other non-competition data at its discretion; d) Controller may request export of their data in a standard format prior to termination.

8.2 Historical Record Retention. The following data categories shall be retained indefinitely as part of the sporting record: a) Competition results, placings, and points; b) Entry information and class participation; c) Horse and rider competition history; d) Show schedules and class lists; e) Rankings and championships; f) Judge’s cards and official scores; g) Any data that forms part of the official competition record.

8.3 Data Minimization. While retaining historical records, Processor may: a) Remove or anonymize sensitive personal data not required for the sporting record; b) Delete payment information and financial records per the retention schedule; c) Remove personal contact details while preserving competitor identification for results.

9. LIABILITY AND INDEMNIFICATION

9.1 Liability. Each party’s liability under this DPA is subject to the limitations set forth in the Agreement.

9.2 Indemnification. Processor shall indemnify Controller for damages arising from Processor’s breach of this DPA or Data Protection Laws.

10. MISCELLANEOUS

10.1 Governing Law. This DPA is governed by the laws specified in the Agreement.

10.2 Amendments. Modifications to this DPA must be made in writing and signed by both parties.

10.3 Severability. If any provision is invalid, the remaining provisions continue in effect.

10.4 Order of Precedence. In case of conflict between this DPA and the Agreement regarding data protection matters, this DPA prevails.

11. CALIFORNIA PRIVACY RIGHTS (CCPA)

11.1 Service Provider. Processor acts as a “Service Provider” under CCPA and shall: a) Process Personal Data only for the Agreement’s business purposes; b) Not sell Personal Data; c) Not retain, use, or disclose Personal Data except as permitted by CCPA.

12. EQUESTRIAN-SPECIFIC PROVISIONS

12.1 Governing Body Compliance. Processor supports Controller’s compliance with data requirements of: a) United States Equestrian Federation (USEF); b) Fédération Équestre Internationale (FEI); c) Other recognized equestrian organizations.

12.2 Competition Integrity. Processing of competition results and rankings serves the legitimate interest of maintaining accurate sporting records.

EXECUTION

By executing the Agreement, the parties agree to be bound by this Data Processing Addendum.

SCHEDULE 1: TECHNICAL AND ORGANIZATIONAL MEASURES

  1. Access Controls
    • Multi-factor authentication
    • Role-based access controls
    • Regular access reviews
  2. Encryption
    • TLS 1.2+ for data in transit
    • AES-256 encryption at rest
    • Encrypted backups
  3. Monitoring
    • 24/7 system monitoring
    • Intrusion detection systems
    • Security incident logging
  4. Business Continuity
    • Regular data backups
    • Disaster recovery plan
    • Redundant infrastructure
  5. Vendor Management
    • Security assessments
    • Contractual protections
    • Regular reviews