Data Processing Addendum
Version: 1.0 Effective Date: [Signature Date]
This Data Processing Addendum ("DPA") forms part of the Agreement (as defined below) between the Customer and Golden West Games and governs the processing of Personal Data by Golden West Games on behalf of the Customer in connection with the Billiard CRM service.
1. Parties
Data Controller (Customer): [Customer legal entity name] [Customer registered address] ("Controller" or "Customer")
Data Processor: Golden West Games
("Processor" or "Golden West Games")
The Controller and Processor are each a "Party" and together the "Parties."
This DPA is incorporated into and subject to the Billiard CRM Terms of Service or such other written agreement governing the Customer's use of the Billiard CRM platform (the "Agreement"). In the event of any conflict between this DPA and the Agreement with respect to the subject matter hereof, this DPA controls.
2. Definitions
As used in this DPA, the following terms have the meanings set forth below. Terms not defined here have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK GDPR (as applicable).
"Agreement" means the Billiard CRM Terms of Service or other written subscription agreement between the Parties.
"Applicable Data Protection Law" means, as applicable to a given processing activity: (a) the GDPR and any national implementing legislation; (b) the UK GDPR and the Data Protection Act 2018; (c) any other data protection or privacy laws applicable to the processing of Personal Data under this DPA.
"Controller" has the meaning given in Article 4(7) GDPR.
"Data Subject" has the meaning given in Article 4(1) GDPR — an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" has the meaning given in Article 4(1) GDPR — any information relating to an identified or identifiable natural person.
"Personal Data Breach" has the meaning given in Article 4(12) GDPR — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Processing" has the meaning given in Article 4(2) GDPR; "Process," "Processes," and "Processed" shall be construed accordingly.
"Processor" has the meaning given in Article 4(8) GDPR.
"Services" means the Billiard CRM multi-tenant SaaS platform and related support services provided by Golden West Games under the Agreement.
"Sub-processor" means any natural or legal person engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Services.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as adopted by the European Commission Decision 2021/914, Module 2 (Controller to Processor), or their then-current equivalent.
"Supervisory Authority" has the meaning given in Article 4(21) GDPR.
3. Subject Matter and Duration
3.1 Subject Matter
Golden West Games processes Personal Data solely to provide the Services to the Customer as described in this DPA and the Agreement, including operating and maintaining the Billiard CRM platform, providing customer support, and complying with applicable legal obligations.
3.2 Duration
Golden West Games shall Process Personal Data for the duration of the Customer's active subscription under the Agreement, and thereafter in accordance with Section 12 (Return and Deletion of Personal Data).
4. Categories of Personal Data Processed
Golden West Games processes the following categories of Personal Data on behalf of the Customer:
4.1 Identifiers
- Full name
- Email address
- Phone number (mobile or landline)
4.2 Customer-Relationship Data
- Job and service records (descriptions, dates, status)
- Payment records (invoice amounts, payment status; note: raw payment card data is processed by Stripe and is not stored by Golden West Games)
- Customer photographs uploaded to service records
- Notes and free-text fields entered by Customer users
4.3 Authentication Data
- Hashed passwords (bcrypt; plaintext passwords are never stored)
- Session tokens and authentication state
- Email verification tokens
4.4 Metadata
- Account activity logs (login timestamps, IP addresses)
- Usage data generated in the ordinary course of using the Services
5. Categories of Data Subjects
The Personal Data processed under this DPA relates to the following categories of Data Subjects:
- End customers of the Customer — natural persons who are clients or customers of the Customer's business (e.g., billiard-table service customers), whose information is entered into the Billiard CRM by the Customer.
- Customer employees and authorized users — natural persons who are employees, contractors, or other representatives of the Customer who are granted user accounts to access the Billiard CRM platform.
6. Processor Obligations
6.1 Documented Instructions
Golden West Games shall Process Personal Data only on documented instructions from the Customer, including the instructions set out in this DPA and the Agreement. If Golden West Games is required by applicable law to Process Personal Data other than as instructed, it shall, to the extent permitted by law, notify the Customer before undertaking such Processing.
6.2 Confidentiality
Golden West Games shall ensure that persons authorized to Process Personal Data under this DPA have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Technical and Organizational Measures
Golden West Games shall implement and maintain the technical and organizational security measures described in Annex II of this DPA, and shall take all measures required by Article 32 GDPR.
6.4 Assistance with Data Subject Requests
Golden West Games shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures to fulfill its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. Golden West Games shall promptly forward to the Customer any request it receives directly from a Data Subject.
6.5 Assistance with Controller Obligations
Golden West Games shall, taking into account the nature of the Processing and the information available to it, assist the Customer in ensuring compliance with: (a) security obligations under Article 32 GDPR; (b) breach notification obligations under Articles 33–34 GDPR; (c) data protection impact assessments under Article 35 GDPR; and (d) prior consultations under Article 36 GDPR.
6.6 Breach Notification
Golden West Games shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Such notification shall include, to the extent then known: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects and Personal Data records affected; (c) the likely consequences; (d) the measures taken or proposed to address the breach. Golden West Games shall provide further information in stages as it becomes available.
6.7 Deletion or Return
At the termination or expiry of the Agreement, Golden West Games shall, at the Customer's election and subject to applicable law, delete or return all Personal Data and delete existing copies, except to the extent retention is required by applicable law. Golden West Games shall confirm deletion in writing upon request.
6.8 Compliance Demonstration
Golden West Games shall make available to the Customer all information necessary to demonstrate compliance with the obligations in this DPA, and shall allow for and contribute to audits in accordance with Section 11.
7. Sub-processors
7.1 Authorization
The Customer authorizes Golden West Games to engage the Sub-processors listed in Annex III. Golden West Games shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes.
7.2 Objection Right
The Customer may object to a new Sub-processor on reasonable, documented, data-protection grounds by notifying Golden West Games in writing within 14 days of receiving notice of the proposed change. If the Customer objects and the Parties cannot resolve the objection, the Customer may terminate the affected part of the Services on reasonable notice.
7.3 Sub-processor Obligations
Golden West Games shall impose on each Sub-processor data protection obligations equivalent to those in this DPA, by way of written contract. Golden West Games remains liable to the Customer for the performance of each Sub-processor's obligations under this DPA.
8. International Transfers
8.1 Current Operations
Golden West Games operates infrastructure located in the United States. Where Personal Data of EU or UK Data Subjects is transferred from the European Economic Area ("EEA") or United Kingdom to Golden West Games or its Sub-processors in the United States or other third countries, such transfers shall be subject to appropriate safeguards under Applicable Data Protection Law.
8.2 Standard Contractual Clauses
Where the Customer is established in the EEA or the United Kingdom and transfers Personal Data to Golden West Games in a third country without an adequacy decision, the Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference into this DPA and shall apply to such transfers. The Parties agree to execute or supplement such SCCs with the particulars set out in the Annexes to this DPA.
8.3 UK Transfers
For transfers of UK Personal Data, the Parties agree that the International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office, or such successor mechanism as may be issued, shall apply in lieu of or in addition to EU SCCs as appropriate.
8.4 Sub-processor Transfers
Each Sub-processor listed in Annex III maintains its own international data transfer mechanism. Golden West Games will maintain updated references to each Sub-processor's applicable transfer mechanism.
9. Data Subject Rights
9.1 Assistance
Golden West Games shall assist the Customer in responding to Data Subject requests exercising rights under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, and objection) within the timeframes required by law.
9.2 Timeline
Golden West Games shall respond to a Customer request for assistance with a Data Subject rights request within 30 days of receipt, and in no event later than 45 days where complexity justifies extension. Where an extension is needed, Golden West Games shall notify the Customer within 30 days of the original request.
9.3 Self-Service Erasure
Where technically feasible and consistent with the Services, Golden West Games provides in-app tools allowing the Customer to export and delete Personal Data without requiring manual intervention.
10. Data Breach Notification
10.1 Notification Obligation
In the event of a Personal Data Breach, Golden West Games shall notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification shall include:
(a) A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
(b) The name and contact details of Golden West Games's data protection point of contact;
(c) A description of the likely consequences of the Personal Data Breach;
(d) A description of the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
10.2 Cooperation
Golden West Games shall cooperate with the Customer and take such steps as are reasonably requested by the Customer to assist in investigating, mitigating, and remediating any Personal Data Breach.
10.3 No Admission
Nothing in this Section shall be construed as an acknowledgment by Golden West Games of fault or liability in connection with any Personal Data Breach.
11. Audit Rights
11.1 Information and Audit
Golden West Games shall make available to the Customer, upon reasonable prior written notice (at least 30 days), all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for audits or inspections conducted by the Customer or a mutually agreed-upon third-party auditor, no more than once per calendar year.
11.2 Third-Party Reports
In lieu of a direct audit, Golden West Games may (at its election) provide the Customer with the results of a relevant third-party audit or certification report (such as a SOC 2 Type II or ISO 27001 report) covering the relevant period, if and when such reports become available. As of the date of this DPA, Golden West Games does not yet hold SOC 2 or ISO 27001 certification and does not have such a report available. The Customer acknowledges this disclosure.
11.3 Audit Scope and Cost
Any audit shall be conducted during normal business hours, shall not unreasonably disrupt Golden West Games's operations, and shall be at the Customer's sole cost and expense. Any third-party auditor must execute a non-disclosure agreement reasonably acceptable to Golden West Games before commencing any audit.
12. Return and Deletion of Personal Data
12.1 Post-Termination
Upon termination or expiry of the Agreement, or upon the Customer's earlier written request, Golden West Games shall, at the Customer's election:
(a) Return to the Customer all Personal Data in a portable, machine-readable format; and/or
(b) Delete all Personal Data from Golden West Games's systems and those of its Sub-processors.
12.2 Retention for Legal Compliance
Notwithstanding the foregoing, Golden West Games may retain Personal Data to the extent required by applicable law, provided that Golden West Games continues to ensure the confidentiality of such data and processes it only to the extent required by such law.
12.3 Timeline
Golden West Games shall complete deletion or return within the timeframes specified in its Privacy Policy, generally within 90 days of termination. Golden West Games shall provide written confirmation of deletion upon the Customer's request.
13. Liability
13.1 Integration with Agreement
The Parties' liability under this DPA is subject to the limitations of liability set out in the Agreement, including any caps on damages.
13.2 GDPR Article 82
Nothing in this DPA limits either Party's liability to Data Subjects or to Supervisory Authorities under Applicable Data Protection Law to the extent such liability cannot be limited by contract.
13.3 Indemnification
Each Party shall indemnify and hold harmless the other Party for damages, fines, or penalties arising from that Party's breach of this DPA or Applicable Data Protection Law, to the extent such damages arise from that Party's acts or omissions and subject to the limitations in Section 13.1.
14. General Provisions
14.1 Order of Precedence
In the event of any conflict or inconsistency between this DPA and the Agreement with respect to data protection matters, this DPA prevails. In the event of conflict between this DPA and the SCCs, the SCCs prevail.
14.2 Governing Law
This DPA shall be governed by the laws of the State of Washington, USA, without regard to conflict of law principles, except to the extent required otherwise by Applicable Data Protection Law.
14.3 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
14.4 Entire Agreement
This DPA, together with the Agreement and its incorporated documents (including these Annexes), constitutes the entire agreement between the Parties with respect to the Processing of Personal Data.
14.5 Amendment
Golden West Games may update this DPA from time to time to reflect changes in law, technology, or its Sub-processor list. Golden West Games shall notify the Customer of material changes with at least 30 days' advance notice. Continued use of the Services after the effective date of a material change constitutes acceptance.
Annex I: Description of Processing
| Item | Details |
|---|---|
| Subject matter | Processing of Personal Data of the Customer's end clients and employees in connection with the operation of the Billiard CRM platform |
| Duration | For the term of the Customer's subscription to the Services, plus any post-termination retention required by law or permitted under Section 12 |
| Nature of processing | Collection, storage, organization, retrieval, disclosure, transmission, use, restriction, deletion |
| Purpose | To provide the Billiard CRM service, including scheduling, customer management, invoicing, payment processing, and SMS/email communication tools, as directed by the Customer |
| Categories of Personal Data | Identifiers (name, email, phone); customer-relationship data (jobs, notes, photos, payments); authentication data (hashed passwords, session tokens); usage metadata |
| Categories of Data Subjects | Customer's end clients; Customer's employees and authorized users |
| Retention period | For the duration of the subscription; deleted or returned within 90 days of termination unless longer retention is required by law |
Annex II: Technical and Organizational Measures (TOMs)
The following measures are implemented by Golden West Games as of the Effective Date of this DPA. Golden West Games shall maintain measures substantially equivalent to or more protective than those described below.
A. Encryption
| Measure | Detail |
|---|---|
| Encryption in transit | All data transmitted between clients and the Billiard CRM platform is encrypted using TLS 1.2 or higher. |
| Encryption at rest | Database data stored in Supabase is encrypted at rest using AES-256 by default. File attachments stored in Google Cloud Storage (GCS) are encrypted at rest using Google-managed keys by default. |
B. Access Control
| Measure | Detail |
|---|---|
| Role-based access control (RBAC) | Tenant data is logically isolated by tenant ID at the application layer. User roles (owner, employee) restrict access to data and functions within the platform. |
| Authentication | User authentication is handled via NextAuth.js with secure, HTTP-only session cookies. Passwords are hashed using bcrypt before storage. |
| Rate limiting | Authentication endpoints are rate-limited using KV-backed middleware to mitigate brute-force and credential-stuffing attacks. |
| Admin access | Production database access by Golden West Games personnel is restricted to authorized individuals and is logged. |
C. Authentication and Credential Management
| Measure | Detail |
|---|---|
| Email verification | New accounts require email address verification before full access is granted. |
| Password hashing | Passwords are hashed using bcrypt with appropriate work factor; plaintext passwords are never stored or logged. |
| Session management | Sessions are invalidated on logout. Session tokens are rotated on privilege changes. |
| Planned enhancements | TOTP-based multi-factor authentication and SSO (SAML/OIDC) are planned for the Pro tier. |
D. Monitoring and Logging
| Measure | Detail |
|---|---|
| Error monitoring | Application errors are captured by Sentry with personally identifiable information scrubbed or masked where feasible. |
| Audit logs | Supabase provides database-level audit logging. Application-level events are logged for security monitoring purposes. |
| Alerting | Sentry alerts are configured for error spikes and security-relevant events. |
E. Backup and Recovery
| Measure | Detail |
|---|---|
| Automated backups | Supabase performs automated daily backups with approximately 30 days of retention on paid plans. |
| Recovery testing |
F. Incident Response
| Measure | Detail |
|---|---|
| Incident response process | Golden West Games maintains an internal security incident response runbook. On detection of a potential Personal Data Breach, the process provides for: containment, investigation, notification (per Section 10), and post-incident review. |
| Personnel training | Authorized personnel with access to Personal Data receive instruction on data handling obligations and security practices. |
G. Vendor Management
| Measure | Detail |
|---|---|
| Sub-processor due diligence | Golden West Games reviews the security practices of Sub-processors prior to engagement and maintains DPAs with each Sub-processor as listed in Annex III. |
Annex III: Authorized Sub-processors
As of the Effective Date, Golden West Games engages the following Sub-processors in connection with the Services:
| Sub-processor | Purpose | Location | Transfer Mechanism | DPA Reference |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing and financial transaction management | USA | SCCs / DPF | stripe.com/legal/dpa |
| Twilio Inc. | SMS messaging and communication services | USA | SCCs / DPF | twilio.com/legal/data-protection-addendum |
| Resend, Inc. | Transactional email delivery | USA | SCCs | resend.com/legal/dpa |
| Google LLC (Google Cloud Platform) | File storage (Google Cloud Storage) | USA | SCCs / DPF | cloud.google.com/terms/data-processing-addendum |
| Supabase, Inc. | Database hosting and management | USA | SCCs | supabase.com/legal/dpa |
| Vercel, Inc. | Application hosting and edge network | USA | SCCs | vercel.com/legal/dpa |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracking | USA | SCCs | sentry.io/legal/dpa |
| Upstash, Inc. | Rate limiting (Redis-based KV store) | USA | SCCs | upstash.com/static/trust/dpa.pdf |
Golden West Games shall maintain an updated list of Sub-processors at [a publicly accessible URL or by request]. Customers who have subscribed to Sub-processor change notifications will be notified at least 14 days before any new Sub-processor begins processing Personal Data.
Signatures
This DPA is agreed to by the authorized representatives of the Parties as of the Effective Date.
Golden West Games
Signature: ___________________________ Name: Steve Holderbaum Title: Founder Date: ___________________________
Customer
Signature: ___________________________ Name: ___________________________ Title: ___________________________ Company: ___________________________ Date: ___________________________
This DPA was last updated: April 2026. For questions, contact privacy@goldenwestgames.com.