SupaClub

Data Processing Agreement

Effective Date: August 31, 2025

This Data Processing Agreement ("DPA") is incorporated into and forms part of the SupaClub Terms of Service (the "Agreement") between Good Creative Lab Inc. ("SupaClub" or "Processor") and the Customer ("Controller").

1. Definitions

Terms such as "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" shall have the meanings ascribed to them in applicable Data Protection Law (such as the GDPR). "Customer Personal Data" means the Personal Data of End Users that Processor Processes on behalf of Controller in connection with the provision of the Services within the Controller's Organization.

2. Processing of Personal Data

  • Roles of the Parties: The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Controller is the Controller and SupaClub is the Processor.
  • Controller's Instructions: Processor shall only Process Customer Personal Data on behalf of and in accordance with Controller's documented instructions, which include (i) processing to provide the Services as described in the Agreement; and (ii) processing initiated by End Users in their use of the Services.

3. Security

Processor shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from security incidents.

4. Confidentiality

Processor shall ensure that its personnel engaged in the Processing of Customer Personal Data are subject to obligations of confidentiality.

5. Sub-processors

Controller acknowledges and agrees that Processor may engage third-party sub-processors. Processor will provide a list of its sub-processors upon request and shall ensure they are bound by agreements that provide at least the level of data protection required by this DPA.

6. Data Subject Rights

Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise their rights. Processor shall assist Controller by appropriate technical and organizational measures for the fulfillment of Controller's obligation to respond to a Data Subject's request.

7. Personal Data Breach

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8. Deletion or Return of Data

Upon termination of the Agreement, Processor shall, at the choice of Controller, delete or return all Customer Personal Data to Controller.

9. Audits

Processor shall make available to Controller on request all information necessary to demonstrate compliance with this DPA.

10. Details of Processing

  • Subject Matter: The Customer Personal Data within the Controller's Organization.
  • Duration: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
  • Purpose: The provision of the Services as initiated by the Controller.
  • Nature of the Processing: To provide the platform for Customers to manage their Organizations and End Users, including communication, content hosting, membership management, and performing data migrations at the Customer's instruction.
  • Categories of Data Subjects: End Users of the Controller's Organization.
  • Types of Personal Data: Any Personal Data collected, stored, or processed at the direction of the Controller after an End User has become a member of the Organization. This includes, but is not limited to, additional profile information, content posted by End Users, membership status, and activity data. For clarity, this DPA does not apply to the SupaClub Account Data (including initial onboarding data) for which SupaClub is the Data Controller, as defined in our Privacy Policy.