Data Processing Agreement

What this is

This DPA describes how DockScore (the "Processor") handles personal data on behalf of tournament organizations (each, a "Controller") that use the platform. It supplements our Terms of Service and Privacy Policy.

If your organization is subject to the EU's GDPR, the UK GDPR, the California Consumer Privacy Act, or any of the LATAM data protection regulations (Nicaragua's Ley 787, Mexico's LFPDPPP, Colombia's Ley 1581), this DPA applies. If you'd like a countersigned copy, write to [email protected].

Roles

You (the tournament organization) are the Controller of personal data about your participants — captains, anglers, judges, sponsors, spectators. You decide what to collect and why.

DockScore is the Processor. We process that data on your behalf, only for the purposes you instruct (running your tournament platform), and only as long as needed to provide the service.

Categories of data we process

Participant identity: name, email, phone, role (captain / angler / judge)
Tournament data: boats, catches, jury decisions, results
Authentication data: usernames, password hashes (we never store plaintext passwords)
Operational telemetry: request logs (IP, user-agent), error logs

Sub-processors

We rely on the following infrastructure providers, each of which is bound by its own contractual obligations to us:

Cloudflare, Inc. — hosting, DNS, edge compute, object storage, database (D1)
Stripe, Inc. — payment processing (only for organizations on paid tiers)
Resend — transactional email delivery
Plausible Insights, OÜ — privacy-friendly analytics (no cookies, no individual tracking)
Meta Platforms, Inc. — only if your organization opts in to the Auto Story Publisher and connects an Instagram/Facebook account

If we add or change sub-processors, we will provide reasonable advance notice via email to the registered Controller contact.

Security measures

All data in transit is encrypted (HTTPS/TLS 1.2+)
Data at rest is encrypted by Cloudflare (D1, R2, KV)
Meta API access tokens (Auto Story Publisher) are encrypted with AES-256-GCM via Web Crypto API; the encryption key is held as a Cloudflare secret
Authentication uses JWT with rotating signing keys
Tenant isolation is enforced at the database query layer; every query is scoped by org_id
Failed login attempts are rate-limited and logged in an audit table
Data centers (Cloudflare) maintain ISO 27001 and SOC 2 Type II certifications

Data location

Data is stored in Cloudflare's global network. By default, Cloudflare D1 stores tenant data in a primary region, with secondary replication for availability. The primary region is selected at platform setup. Tournament organizations with strict data-residency requirements should contact us before signing up.

Data subject rights

As Controller, you are responsible for fulfilling data subject requests (access, rectification, deletion, portability) from your participants. DockScore provides:

Self-service export for tournament organizations: you can export your full tournament data in JSON/CSV at any time from the platform admin
On-request export: write to [email protected] for support with specific data subject requests
Deletion within 30 days of a verified deletion request

Data retention

Active tournament data: retained for as long as your organization's account is active
Permanent results archive: by default retained indefinitely (this is a feature — you decide whether to keep it on)
Operational logs (IP, user-agent): 90 days (Cloudflare default)
Audit log entries (login, failed login, account lock): 36 months
Form submissions on the marketing site: typically 36 months
Account deletion: within 90 days of the cancellation date, except where retention is legally required

Breach notification

In the event of a personal data breach affecting your tournament data, DockScore will notify the registered Controller contact without undue delay (and in any case within 72 hours of becoming aware of the breach), with all reasonably available details about the nature, scope, and likely consequences of the breach, and the measures taken or proposed.

International transfers

Where personal data is transferred outside the originating region (e.g., from EU to a Cloudflare US data center for processing), we rely on Cloudflare's Standard Contractual Clauses and additional safeguards as documented in their data processing terms.

Audits

Tournament organizations on enterprise/Circuit tier may request an annual security review. Smaller-tier organizations may rely on Cloudflare's published certifications (SOC 2 Type II, ISO 27001) as the basis for their assessment.

Termination

On termination of the agreement, DockScore will, at the Controller's choice, return or delete all personal data processed on the Controller's behalf. The Controller has 30 days from termination to request a full export. After 90 days, all data is deleted from production systems; backup snapshots may persist for an additional 30 days before final deletion.

Contact

Questions about this DPA, data subject requests, or to request a countersigned version: [email protected]

DockScore · dockscore.io · Built for Tournament Directors

Data Processing Agreement (DPA)