This Data Processing Agreement (hereinafter – the Agreement) is an integral part of the terms of use of the skillball app (hereinafter – the Platform) (hereinafter – the Main Agreement) between:

1. SIA Digital Value 2B, reg. no. 50203664291, (hereinafter – the Processor) and
2. The user of the Platform, who has registered on the Platform (hereinafter – the Controller).

Collectively referred to as the Parties.

1. Scope and purpose
   1. The purpose of this Agreement is to determine the rights, obligations, and responsibilities of the Parties regarding the processing of personal data, ensuring compliance with the requirements of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (hereinafter – GDPR).
   2. This Agreement regulates the processing of personal data carried out by the Processor on behalf of the Controller in order to provide the Platform’s services (including video file uploading, storage, and artificial intelligence processing), as specified in the Main Agreement for the provision of services concluded by the Parties.
   3. Detailed information on the nature and purpose of the processing, the types of personal data processed, and the categories of data subjects is provided in Annex 1 to this Agreement, “Description of Data Processing”.
   4. This Agreement is an integral part of the Main Agreement and enters into force at the moment the Controller starts using the Platform and agrees to the terms of the Main Agreement, which includes a reference to these terms.
   5. In the event of any contradiction between the provisions of this Agreement and the provisions of the Main Agreement or any other agreement concluded between the Parties regarding the processing of personal data, the provisions of this Agreement shall prevail.
   6. The Agreement is in force for as long as the Controller has an active user account on the Platform and the Processor processes personal data on behalf of the Controller.
2. Rights and obligations of the Controller
   1. The Controller confirms and guarantees that it has an appropriate legal basis in accordance with the GDPR to process and disclose to the Processor personal data (video materials), in which third parties and minors may be visible.
   2. The Controller is fully responsible for the accuracy, content, reliability, and lawfulness of the processing of the personal data transferred to the Processor, as well as for appropriately informing the data subjects (e.g., players, their parents or guardians) about the data processing prior to their upload to the Platform.
   3. The Controller undertakes not to upload to the Platform and in no way transfer to the Processor special categories of personal data (sensitive data) (e.g., data concerning health, biometric data, etc.).
   4. The Controller assumes full responsibility for the use of any third-party integrations or interfaces (for example, by publishing or forwarding video fragments on social networks or other external sites). The Processor does not control and is not responsible for how the Controller uses or distributes data outside the Platform.
   5. The Controller is responsible for the appropriate security and confidentiality of their Platform access data (username, password).
   6. The Controller undertakes to inform the Processor without undue delay of any identified errors or non-conformities in the personal data processing processes on the Platform.
3. Rights and obligations of the Processor
   1. The Processor processes personal data only on behalf of the Controller and in accordance with its documented instructions contained in this Agreement, the Main Agreement, and Annex 1.
   2. The Processor ensures that persons (including employees) authorized to process personal data on behalf of the Processor have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This provision remains in force even after the termination of this Agreement.
   3. The Processor implements appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of personal data in accordance with the requirements of Article 32 of the GDPR. These measures are aimed at protecting data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
   4. Taking into account the nature of the processing and the information available, the Processor reasonably assists the Controller through appropriate technical and organizational measures to fulfill the Controller’s obligation to respond to requests from data subjects, as well as to comply with the security and reporting obligations set out in the GDPR.
   5. The Processor does not directly respond to requests from data subjects (e.g., players, spectators, or their parents) regarding the processing of their data. The Processor informs the Controller of the received request only if the information provided by the data subject allows the Processor to unequivocally and without disproportionate effort identify the respective Controller. Likewise, the Processor does not disclose information to state authorities, except in cases where it is directly required by applicable regulatory enactments or a court ruling.
   6. The Processor notifies the Controller without undue delay of any identified personal data breach (security incident) so that the Controller can fulfill its reporting obligations to data protection authorities or data subjects as stipulated by law.
   7. The Processor immediately informs the Controller if, in the Processor’s opinion, any of the Controller’s instructions infringes the GDPR or other applicable data protection provisions of the European Union or Member State law.
4. Service improvement and artificial intelligence training
   1. The Controller acknowledges and agrees that the Processor has the right to use data regarding the use of the Platform (including technical and telemetry data) in an aggregated and anonymized format to improve, optimize, and develop the Platform’s functionality, as well as for research and statistical purposes.
   2. In order to ensure the innovative functionality of the Platform (for example, automatic player recognition, generation of video fragments, etc.) and its continuous development, the Controller allows the Processor to use the video recordings uploaded to the Platform for training and improving artificial intelligence and computer vision models.
   3. The Processor guarantees that the artificial intelligence and computer vision models trained using the Controller’s data will function as general algorithms. The Processor ensures that the trained models will be technically unable to reproduce, disclose, or transfer the Controller’s personalized data or confidential information to other users of the Platform.
   4. Regarding the specific data processing purpose mentioned in Clauses 4.1 and 4.2 of this Agreement, the Parties agree that the Processor acts as an independent data Controller. Consequently, this specific data processing does not fall under the Processor’s obligations under this Agreement, and it is governed by the Processor’s general Privacy Policy.
5. Use of sub-processors
   1. The Controller grants the Processor general authorization to engage sub-processors (for example, cloud computing server providers, content delivery networks, and IT support systems) for the provision of services specified in this Agreement and the Main Agreement.
   2. The current list of sub-processors engaged by the Processor, indicating their name, country of location, and data processing role (function), is publicly available on the Platform’s website www.skill-ball.com.
   3. The Processor shall inform the Controller in advance, at least 30 (thirty) days before the changes take effect (for example, by sending a notification via email or on the Platform), of any planned changes concerning the addition or replacement of sub-processors.
   4. An exception is emergency situations (for example, critical security incidents or system downtimes) when the Processor must replace a sub-processor immediately for data protection purposes. In such a case, the Controller is informed as soon as possible.
   5. Taking into account the Platform’s unified technical infrastructure, the Processor cannot provide different sub-processors for individual Controllers. If the Controller, for data protection reasons, does not agree to the engagement of a new sub-processor, the Controller’s sole legal remedy is to unilaterally terminate the Main Agreement and discontinue the use of the Platform within 30 (thirty) days after receiving the notification. If the Controller does not terminate the Main Agreement within this period, the Controller shall be deemed to have fully agreed to the engagement of the new sub-processor.
   6. The Processor ensures that a written agreement is concluded with the engaged sub-processor, which imposes on the sub-processor at least the same data protection obligations as those set out in this Agreement (in particular, to provide sufficient guarantees to implement appropriate technical and organizational measures).
   7. Where the sub-processor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor’s obligations.
6. Transfer of data to third countries
   1. The Processor primarily ensures the storage and processing of personal data within the territory of the European Union (EU) or the European Economic Area (EEA).
   2. The Controller agrees and authorizes the Processor (or its engaged sub-processors) to transfer and process data in countries outside the EU/EEA, if it is necessary for the provision of the Platform’s services, provided that the Processor ensures appropriate legal safeguards in accordance with the requirements of Chapter V of the GDPR. Such transfer is carried out on the basis of:
      1. an adequacy decision by the European Commission (for example, certification under the EU-U.S. Data Privacy Framework);
      2. Standard Contractual Clauses (hereinafter – SCC) approved by the European Commission.
   3. In cases where the data transfer is based on SCC, the Processor, in cooperation with the sub-processor, implements appropriate supplementary technical and organizational measures (for example, data encryption during its transfer and storage) to ensure a level of personal data protection equivalent to European Union standards.
7. Audit rights
   1. The Controller’s right of audit stipulated in Article 28 of the GDPR is primarily implemented by the Processor providing the Controller with the necessary information and documentation (for example, descriptions of security measures, answers to self-assessment questionnaires), which demonstrate the Processor’s compliance with the requirements of this Agreement.
   2. Taking into account the Platform’s unified infrastructure, if the Processor or its engaged infrastructure sub-processor (for example, a server hosting provider) has a valid security audit report or certificate (for example, ISO 27001) conducted by an independent third party, issued within the last 12 (twelve) months, the Controller agrees to accept these documents as full and sufficient evidence of compliance with the audit requirements.
   3. An audit may be conducted only and exclusively in cases where:
      1. the Controller has reasonable suspicions of a significant and actual personal data security breach in the Processor’s systems, or;
      2. the performance of an audit is directly requested by a competent supervisory authority, the Controller has the right to request an audit no more than 1 (one) time per year. The Controller shall inform the Processor in writing about the performance of such an exceptional audit at least 30 days in advance.
   4. In any case of an audit, it is not permitted, and the Controller has no right to request access to the data of other Platform users, the Processor’s trade secrets, or the Platform’s internal security architecture information. The audit must not unreasonably interfere with the performance of the Processor’s commercial activities.
   5. If the audit is performed by a third party (auditor) engaged by the Controller, this person must enter into a confidentiality agreement with the Processor before starting the audit, and they must not be a direct competitor of the Processor.
   6. All costs associated with the performance of the audits requested by the Controller as specified in Clause 7.3 of the Agreement, as well as the time devoted by the Processor to support this audit, at the Processor’s standard hourly rate, shall be fully covered by the Controller.
8. Term of the Agreement and data deletion
   1. This Agreement is in force for as long as the Controller uses the Platform in accordance with the Main Agreement and the Processor processes personal data on behalf of the Controller. The Agreement automatically expires at the moment the Main Agreement is terminated or the Controller’s user account on the Platform is closed (deleted).
   2. Upon termination of the Main Agreement (including if the account is closed on the Controller’s initiative or the Processor closes it due to a violation of the terms), the Processor automatically deletes all personal data processed on behalf of the Controller, except in cases where applicable European Union or Member State regulatory enactments require further retention of certain data.
   3. The Controller’s right to receive the return of data, stipulated in Article 28 of the GDPR, is ensured using the Platform’s self-service functionality. The Controller has the opportunity and obligation to independently download (export) the necessary video materials and data before closing their account. The Controller acknowledges and agrees that after the account is closed, the return of data will no longer be technically possible.
   4. After the account is closed, the Processor ensures the secure deletion of personal data from its active systems immediately or no later than within 30 (thirty) days.
   5. Personal data stored in the Processor’s security backups are not actively processed and are automatically overwritten or deleted in accordance with the Processor’s standard data retention schedule, ensuring their strict confidentiality and technical isolation during this period.
9. Final provisions
   1. This Agreement is an integral part of the Main Agreement. In the event of any conflict between this Agreement and the Main Agreement on matters directly affecting personal data protection and processing, the provisions of this Agreement shall prevail and be binding. All other matters not covered by this Agreement are governed in accordance with the Main Agreement.
   2. The Processor has the right to unilaterally amend the terms of this Agreement if it is necessary to ensure compliance with changes in regulatory enactments (including the GDPR), guidelines of supervisory authorities, or case law, as well as if changes are introduced to the Platform’s functionality.
   3. The Controller shall be informed of the amendments to the Agreement in advance, at least 30 days before they enter into force, on the Platform or by sending a notification via email. If the Controller continues to use the Platform after the amendments enter into force, they shall be deemed to have agreed to them.
   4. Regarding the liability of the Parties for breaches of this Agreement, applicable law (jurisdiction), and the dispute resolution procedure, the principles and limitations of liability set out in the Main Agreement remain fully in force, unless the regulatory framework for data protection provides otherwise.
   5. In the event of any discrepancies, contradictions, or disputes related to the interpretation of the provisions of this Agreement, the original text of the Agreement in the Latvian language shall prevail and be binding upon the parties.

Annex 1 to the Data Processing Agreement

Description of data processing