Document · v1

Data Processing Agreement

Between the Platform Provider ("Processor") and Competition Organiser ("Controller") · Last updated: 12 May 2026

1. Definitions

Controller means the competition organiser who determines the purposes and means of processing personal data.
Processor means Wushu Precision, the Platform provider that processes personal data on behalf of the Controller.
Personal Data means any information relating to an identified or identifiable natural person.
Applicable Data Protection Law means the UK GDPR, EU GDPR (where applicable), the Data Protection Act 2018, and any other relevant UK/EU legislation.
Services means the platform and related services used to organise, manage, score, and display sports competitions.

2. Subject matter and duration

This Agreement governs the Processor's processing of Personal Data on behalf of the Controller for the purpose of providing the Services. It remains in force for as long as the Processor processes Personal Data on behalf of the Controller.

3. Nature and purpose of processing

The Processor will process Personal Data solely for the following purposes:

Creating and managing competition structures.
Registering participants.
Recording, calculating, and displaying scores and results.
Managing communications between organisers and participants.
Providing technical support and platform functionality.
Ensuring platform security and integrity.

The Processor will not process Personal Data for any purpose other than those documented by the Controller.

4. Types of personal data and categories of data subjects

4.1 Types of Personal Data

Names.
Email addresses.
Competition registration details.
Performance data, scores, and rankings.
Team or club affiliations.
Any additional data the Controller uploads or imports.

4.2 Categories of data subjects

Competition participants.
Coaches or team managers.
Officials or volunteers.
Other individuals whose data the Controller submits.

The Controller is responsible for ensuring it has lawful authority to provide all such data.

5. Obligations of the Controller

The Controller agrees to:

Ensure all Personal Data is collected and submitted lawfully.
Provide clear instructions to the Processor.
Ensure participants are informed about how their data will be processed.
Obtain all necessary consents or establish a lawful basis under Applicable Data Protection Law.
Ensure the Personal Data provided is accurate and up to date.
Not upload data they do not have the right to submit.

The Controller indemnifies the Processor against claims arising from unlawful or unauthorised data submission.

6. Obligations of the Processor

6.1 Process only on documented instructions

Process Personal Data only on the Controller's documented instructions, unless required by law.

6.2 Confidentiality

Ensure all personnel authorised to process Personal Data are bound by confidentiality obligations.

6.3 Security measures

Implement appropriate technical and organisational measures to protect Personal Data, including encryption, access controls, secure hosting, and regular security testing.

6.4 Sub-processors

The Processor may engage sub-processors to support the Services. The Processor will:

Use only sub-processors bound by equivalent data protection obligations.
Inform the Controller of any intended changes to sub-processors.
Remain fully liable for sub-processor actions.

6.5 Assistance to the Controller

The Processor will assist the Controller in:

Responding to data subject rights requests.
Conducting data protection impact assessments (DPIAs).
Managing security incidents.

6.6 Data breach notification

The Processor will notify the Controller without undue delay upon becoming aware of a Personal Data breach.

6.7 Data transfers

The Processor will not transfer Personal Data outside the UK/EEA without appropriate safeguards, such as adequacy decisions, Standard Contractual Clauses (SCCs), or additional technical and organisational protections.

7. Data subject rights

The Processor will assist the Controller in fulfilling requests from data subjects, including access, rectification, erasure, restriction, objection, and data portability. The Processor will not respond directly to data subjects unless instructed by the Controller.

8. Return or deletion of data

Upon termination of the Services, the Processor will:

Delete or return all Personal Data to the Controller, at the Controller's choice.
Delete existing copies unless retention is required by law or necessary to preserve competition records.

Competition results may be retained in anonymised or aggregated form.

9. Audits and inspections

The Controller may request information necessary to demonstrate compliance. Formal audits may be conducted with reasonable notice, without disrupting platform operations, and subject to confidentiality obligations.

10. Liability

Each party's liability under this Agreement is subject to the limitations set out in the main Terms & Conditions, except where prohibited by law.

11. Governing law

This Agreement is governed by the laws of England and Wales. Any disputes shall be resolved exclusively in the courts of England and Wales.

12. Entire agreement

This DPA forms part of the Terms & Conditions between the parties. In the event of conflict, this DPA prevails with respect to data protection matters.