← Privacy policy

Data Processing Agreement (DPA)

v 1.0 · 2026-05-01 · GDPR Art. 28

1. Parties

Controller — the federation, club, or self-employed coach using IRI (the Customer). Processor — the operator of the IRI platform, contactable at dpa@iri.training.

2. Scope of processing

  • Categories of data subjects: coaches, athletes, support staff.
  • Categories of personal data: account credentials, athlete training history, body weight, RPE, video uploads.
  • Purpose: deliver training planning, analytics, and athlete-coach communication.
  • Duration: the term of the customer subscription plus 30 days of erasure runway.

3. Processor obligations

  1. Process personal data only on documented Customer instructions.
  2. Bind all personnel to confidentiality.
  3. Implement appropriate technical and organisational measures (Art. 32) — see Schedule A.
  4. Engage sub-processors only with the Customer's prior general authorisation (Section 5).
  5. Assist the Customer in fulfilling data-subject rights (Art. 12-22).
  6. Notify the Customer of personal-data breaches without undue delay, and within 72 hours where feasible.

4. Sub-processing

The current sub-processor list lives at /legal/sub-processors and is updated 30 days before changes take effect. The Customer may object in writing.

5. Schedule A — Security measures

  • Transport encryption: TLS 1.3 enforced.
  • Storage encryption: at-rest encryption on PostgreSQL and object storage.
  • Authentication: bcrypt-hashed passwords, HTTP-only session cookies, optional SSO via federation IdP.
  • Backups: daily snapshots, 90-day rotation, regional redundancy.
  • Access controls: principle of least privilege, audited access to production.
  • AI input minimisation: athlete names anonymised to initials, no PII outside performance metrics.

6. International transfers

Sub-processors may operate outside the EU/EEA. Where they do, the Standard Contractual Clauses (Decision 2021/914) are incorporated by reference. EU-only deployments are available on request and run the on-premises Ollama AI provider exclusively.

7. Termination

On termination, all personal data is exported (JSON) on Customer request and deleted within 30 days. Backups roll out within 90 days.