Data Processing Agreement
Effective date: 26 February 2026
This Data Processing Agreement ("DPA") is entered into between the customer using the OpenMatchDay platform ("Controller", "you") and POISE AB, VAT ID SE556773092301 ("Processor", "we", "us"), pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
This DPA supplements the Terms of Service and applies automatically to all customers whose use of the Service involves the processing of personal data.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- Processing: Any operation performed on personal data, as defined in GDPR Article 4(2).
- Controller: The customer (tournament organizer) who determines the purposes and means of processing personal data through the Service.
- Processor: POISE AB, which processes personal data on behalf of the Controller through the OpenMatchDay platform.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes personal data on behalf of the Controller for the purpose of providing the OpenMatchDay tournament management platform.
2.2 Categories of Data Subjects
- Tournament administrators and staff (account holders)
- Team representatives and contacts
- Players registered in tournaments
- Spectators accessing public tournament pages (minimal data only)
2.3 Types of Personal Data
- Names (administrators, players)
- Email addresses (administrators)
- Player information (name, shirt number)
- Team information (team name, contact details if provided)
- Match and performance data (scores, events, statistics)
- Usage data (IP addresses, browser information from server logs)
2.4 Duration
Processing continues for the duration of the Controller's subscription and for the data retention period specified in our Privacy Policy.
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, except where required by EU or Member State law. The Controller's instructions are defined by the features and configuration of the Service as used by the Controller.
3.2 Confidentiality
The Processor ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit: All data transmitted via HTTPS/TLS
- Authentication: Passwords stored using bcrypt hashing; CSRF token protection on all operations
- Access control: Role-based permissions (platform admin, tournament admin, referee, viewer)
- Content Security Policy: CSP headers with nonces to prevent injection attacks
- Hosting: Data stored on EU-based servers
- Monitoring: Server access logs retained for 90 days for security review
- Updates: Regular security patches and platform updates
3.4 Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| EU hosting provider | Server infrastructure and data storage | European Union |
| Lettermint | Transactional email delivery | European Union |
The Processor shall inform the Controller of any intended changes to the sub-processor list at least 30 days in advance. The Controller may object to a new sub-processor within that period. If the objection cannot be resolved, the Controller may terminate the agreement.
3.5 Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). The Processor provides tools within the platform for the Controller to manage player and team data directly.
3.6 Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
3.7 Data Protection Impact Assessments
The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required under GDPR Articles 35 and 36.
4. Obligations of the Controller
The Controller is responsible for:
- Ensuring a lawful basis for processing personal data entered into the Service
- Obtaining appropriate consent from data subjects (such as players) where required
- Providing privacy information to data subjects about the use of their data in the tournament
- Determining the retention period for tournament data within the Service's capabilities
5. Data Deletion and Return
5.1 During Subscription
The Controller can delete tournament data, teams, and players at any time through the platform's administrative tools.
5.2 Upon Termination
Upon termination of the subscription, the Controller may request a data export within 30 days. After this period, the Processor shall delete all personal data processed on behalf of the Controller, unless retention is required by EU or Member State law.
5.3 Automatic Cleanup
Completed tournaments are automatically deleted 60 days after completion. Draft tournaments that are not activated are deleted after 24 hours. These retention periods apply unless the Controller deletes the data earlier.
6. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28. This includes:
- Annual compliance documentation available upon written request
- Cooperation with audits conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and scope limitations
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
7. International Transfers
The Processor stores and processes all personal data within the European Union. If any sub-processor processes data outside the EU/EEA, the Processor shall ensure appropriate safeguards are in place (such as Standard Contractual Clauses) in accordance with GDPR Chapter V.
8. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
9. Term and Termination
This DPA takes effect when the Controller begins using the Service and remains in effect as long as the Processor processes personal data on behalf of the Controller. The DPA automatically terminates when all personal data has been deleted or returned in accordance with Section 5.
10. Contact
For questions about this Data Processing Agreement, contact:
POISE AB
Email: hello@openmatchday.com
VAT ID: SE556773092301