Data Processing Agreement

Last updated 03/31/2022

These Data Processing Terms form part of the Terms of Service between Martial Arts on Rails, LLC d/b/a Gymdesk and you and apply when we process Personal Data on your behalf in the course of providing the Services. These Data Processing Terms do not apply where we are the Controller. Defined and/or capitalized terms not defined here have the meanings given them in the Agreement. If not defined in the Agreement, capitalized terms have the meaning given them, or an equivalent term, in applicable data protection, privacy or security laws (“Privacy Laws”). These Data Processing Terms take precedence over any other terms of the Agreement in relation to the Processing of Personal Data.

1. Parties. “Gymdesk”, “we”, “us” or “our” means Martial Arts on Rails, LLC d/b/a Gymdesk or Affiliate(s) who execute or assent to the Order Form. “You” or “your” means collectively the other entity(ies) executing or assenting to the Order Form. “Affiliate” means any entity that controls, is controlled by, or is under common control with, another entity. An entity “controls” another if it owns directly or indirectly a sufficient voting interest to elect a majority of the directors or managing authority or otherwise direct the affairs or management of the entity.

2. Processing. With respect to the Processing of Personal Data, you act as a Controller, “business”, or Processor and Gymdesk is a Processor or “service provider”. We will only Process Personal Data as permitted under the Agreement and applicable Privacy Laws. We will not “sell” Personal Data. You agree that the Agreement represents your complete instructions to us and any additional changes you require must be mutually agreed. We will inform you if we believe that any of your instructions violate law, unless prohibited on important grounds of public interest. Details regarding the Processing of Personal Data are specified in Annex 1. You are solely responsible for complying with Privacy Laws regarding the Processing of Personal Data (including obtaining consents) and warrant that you comply with the same. You shall indemnify us, our Affiliates, subcontractors, and licensors from all third-party claims or losses arising from the Processing of Personal Data in accordance with this Agreement.

3. Subprocessors. You authorize us to use other Processors, including Gymdesk affiliates and service providers, (“Subprocessors”) in any jurisdiction to Process Personal Data, so long as they are required to abide by terms substantially similar to these Data Processing Terms. We will be liable to you for the performance of our Subprocessor’s obligations under the Agreement. Our current Subprocessors are listed here. You must subscribe to this link to receive notice of updates to our list of Subprocessors. You may object in writing to our appointment of a new Subprocessor within five (5) calendar days of such notice. If you legitimately object to a Subprocessor on reasonable data protection grounds and we do not resolve the matter within one month following notification, we may terminate the Services impacted by the new Subprocessor, without penalty, upon written notice.

4. Security. We will implement appropriate technical and organizational measures to protect Personal Data, as described in Annex 2 (“Security Measures”). We may update or modify the Security Measures, so long as the overall security level of the Services is maintained. You are solely responsible for determining whether the Security Measures meet your requirements. You agree that the level of security provided by the Security Measures is appropriate to the risk inherent in the Services. You are responsible for configuring the Services in a manner which enables you to comply with applicable Privacy Laws. We will ensure that only authorized personnel who are under written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality may access Personal Data. The Services are not designed to Process Special Categories of Data, cardholder data subject to the Payment Card Industry Security Standard (“PCI DSS”), protected health information, children’s Personal Data, or other Personal Data inappropriate for the nature of the Services (collectively, “Prohibited Data”). You shall not submit Prohibited Data to us or to the Services, unless authorized to do so in writing by Gymdesk.

5. Security Incident. We will notify you without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized access, disclosure or use of Personal Data while processed by us (each a “Security Incident”) in relation to the Services under the Agreement. We will investigate the Security Incident and provide you with relevant information about the Security Incident as required under Privacy Laws. We will use reasonable efforts to assist you in mitigating, where possible, the adverse effects of any Security Incident.

6. Compliance. On written request and subject to obligations of confidentiality, we will provide to you information reasonably necessary, including relevant certifications, to demonstrate our compliance with these Data Processing Terms. With respect to Subprocessors, we may fulfil our responsibilities under this Section 6 by providing you with audit reports or certifications provided by such Subprocessors.

7. Data Transfers. You authorize us and our Subprocessors to transfer Personal Data to locations outside of its country of origin for the performance of the Agreement, provided that we implement appropriate transfer safeguards to comply with applicable Privacy Laws. If we transfer Personal Data from the European Economic Area (“EEA”), UK, Switzerland or from any other jurisdiction that restricts the cross-border transfer of Personal Data to locations outside that jurisdiction, you shall be bound by the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 including the provisions in Modules 2 and 3, as applicable, (“SCCs”) in the capacity of “data exporter”, and Gymdesk in the capacity of “data importer” as those terms are defined therein. The SCCs will be deemed to have been signed by each Party and are hereby incorporated by reference into the Agreement in their entirety as if set out in full as an annex to this Agreement. The Parties acknowledge that the information required to be provided in the appendices to the SCCs is set out in Annex 1 below as a “Description of the Transfer” and “Security Measures” as a “Description of the Technical Organizational Measures” in Annex 2. Audits under Section 8.9 of the SCCs shall be carried out in accordance with the above Section 6. The SCCs will prevail over these Data Processing Terms or the Agreement, in the event of conflict.

8. Cooperation. We will cooperate with you to respond to requests, complaints or inquiries from data subjects, supervisory authorities, or other third parties, conduct a privacy impact assessment and prior consultation with supervisory authorities, provided that you reimburse us for all reasonably incurred costs. If we receive a data subject request relating to Personal Data, we will provide it to you. We will not respond to the data subject request unless required by applicable law.

9. Termination. Upon termination of the Agreement, we will return, delete or anonymize Personal Data except to the extent (i) we are required by applicable law to retain Personal Data or (ii) for compliance, audit or security purposes, in which case these Data Processing Terms will continue to apply to the retained Personal Data. Any certification of deletion will be provided to you only upon your written request.

ANNEX 1

DESCRIPTION OF THE PROCESSING AND TRANSFER (MODULE 2: CONTROLLER TO PROCESSOR)

 

A. LIST OF THE PARTIES

Controller / Data Exporter

You and your Affiliates, as set forth in the Agreement.

Processor / Data Importer

Name: Martial Arts on Rails, LLC d/b/a Gymdesk.

Address: 9901 Brodie Ln, Ste 160 #1150, Austin TX 78748, USA

Contact: support@gymdesk.com

B. DETAILS OF PROCESSING/TRANSFER

CATEGORIES OF DATA SUBJECTS

The Personal Data processed and transferred is determined and controlled by you in your sole discretion and may include, without limitation, the following categories of Data Subjects: (i) employees, contractors and temporary workers (current, former, prospective) of data exporter; (ii) advisors, trainers, consultants, service providers and other third parties; (iv) users (e.g. customers) and end users of the Services; (v) any other data subject as described in the Agreement.

CATEGORIES OF PERSONAL DATA

The Personal Data processed and transferred is determined and controlled by you in your sole discretion and may include, without limitation, the following categories of data: name, email address,  country of residence, mobile phone number, username, password, IP addresses, unique identification numbers and signatures, voice, video and data recordings.

SPECIAL CATEGORIES OF DATA

The Services is not intended for the Processing of Special Categories of Data or Prohibited Data, and you shall not transfer, directly or indirectly to us.

FREQUENCY

The Personal Data transfers under the Agreement will take place on a continuous basis.

NATURE OF THE PROCESSING

Gymdesk and its Subprocessors are providing the Services or fulfilling contractual obligations to you, as described in the Agreement. These Services may include the processing of Personal Data by Gymdesk and/or its Subprocessors.

PURPOSE OF PROCESSING / TRANSFER

Your Personal Data is processed and transfer is made for the following purposes: (i) providing the Services and facilitating communication with customers, employees and users; (ii) administration and management of channel partners, distributors and/or sales partners; (iii) identity management and security; (iv) managing product and service development, improving existing and developing new products and services, research and development; (v) Research in any field including scientific and technical research; (v) any other scope and purpose as described in the Agreement.

RETENTION

Your Personal Data will be retained in accordance with the Agreement unless applicable law requires storage of the Personal Data for a longer period.

TRANSFER TO SUBPROCESSORS

Gymdesk may process and transfer Personal Data to Subprocessors in relation to the performance of the Agreement and in accordance with the following scope:

  • Subject Matter: The subject matter of the processing under the Agreement is the Personal Data.
  • Nature of the processing: Gymdesk and its Subprocessors are providing services or fulfilling contractual obligations to you, as described in the Agreement. These services may include the processing of Personal Data by Gymdesk and/or its Subprocessors.
  • Duration: The duration of the processing under the Agreement is determined by you and as set forth in the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

For the purposes of Clause 13 of the SCCs, the competent supervisory authority for the Customer shall be the supervisory authority applicable to the Customer in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

D. GOVERNING LAW AND CHOICE OF FORUM

GOVERNING LAW

For the purposes of Clause 17 of the SCCs, the parties select the law of Ireland.

CHOICE OF FORUM

For the purposes of Clause 18 of the SCCs, the parties agree that the courts of Ireland will have jurisdiction.

E. OTHER

Where the SCCs identify optional provisions or provisions with multiple options the following will apply:

For Clause 7 (Docking Clause), the optional provision will apply.

For Clause 9(a), option 2 will apply. The parties will follow the process agreed in Section 3 (Subprocessors).

For Clause 11(a) (Redress), the optional provision will not apply.

For Clause 12 (Liability), the limitation of liability in the Terms of Service applies to these Data Processing Terms.



ANNEX 2 SECURITY MEASURES

This Annex 2 describes the Security Measures designed to protect and secure our Services when we Process Personal Data under the Agreement. We may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services provided under the Agreement. Beta offerings may be subject to different practices.

 

CATEGORIES

PRACTICES

Risk Management
  • Gymdesk will maintain administrative, physical and technical safeguards designed for the protection and integrity of Your Data. Gymdesk will maintain PCI DSS compliance for the portions of the Services that store and process Cardholder Data. 



Data Handling
  • Gymdesk uses commercially standard encryption management standards for encrypting data-at-rest and data-in-transit.
  • Multi-tenant applications hosted on cloud are segregated logically and data flow between various components of the platform is restricted within required subnets and VNETs.
  • Gymdesk maintains appropriate data security controls including: (i) identity and access management controls; (ii) role based access (least privilege); (iii) secure log-in with unique user-ID/password; (iv) complex password requirements and secure storage

Backup
  • Backups are performed on a periodic basis.

Business Continuity
  • Gymdesk maintains a business continuity plan and disaster recovery plans to ensure a minimum level of continuity for the delivery of critical products and services during a significant interruption.


Third Parties
  • Gymdesk uses industry-leading cloud providers for our cloud computing infrastructure and physical data center facilities for Services.
  • Gymdesk relies on the physical and environmental controls of third-party cloud providers. All data centers are SOC 2 or equivalent compliant facilities.
  • Gymdesk uses commercially reasonable efforts to ensure that third-party suppliers and licensors to the Services conform to substantially similar standards and levels of security as described in this Policy.