Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement between GymAscend Limited ("Processor," "GymAscend") and the customer that has entered into a service agreement with GymAscend (the "Controller," "Customer") for the provision of the GymAscend platform and branded application (the "Services" and the "Agreement"). It governs the processing of personal data carried out by GymAscend on the Customer's behalf in connection with the Services. Where this DPA conflicts with the Agreement on the subject of personal data processing, this DPA prevails.

1. Definitions

Terms such as "personal data," "processing," "controller," "processor," "data subject," "personal data breach," and "supervisory authority" have the meanings given in applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR ("Data Protection Law"). "Sub-processor" means any processor engaged by GymAscend to process personal data on the Customer's behalf.

2. Roles and scope

The Customer is the controller and GymAscend is the processor of the personal data processed under the Services, as described in Annex 1. Each Party will comply with its obligations under Data Protection Law. The Customer is responsible for the lawfulness of the data it provides and the instructions it gives.

3. Processing instructions

GymAscend will process personal data only on the Customer's documented instructions, including those set out in the Agreement and this DPA, and as necessary to provide the Services, unless required to do otherwise by law, in which case GymAscend will inform the Customer unless legally prohibited. If GymAscend believes an instruction breaches Data Protection Law, it will inform the Customer.

4. Confidentiality

GymAscend will ensure that persons authorized to process the personal data are bound by appropriate confidentiality obligations.

5. Security

GymAscend will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope and purposes of processing.

6. Sub-processors

The Customer grants GymAscend general authorization to engage sub-processors to provide the Services. GymAscend will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors' performance. GymAscend will maintain a list of sub-processors and will give the Customer reasonable prior notice of any intended addition or replacement, giving the Customer the opportunity to object on reasonable data protection grounds.

7. Assistance to the Controller

Taking into account the nature of the processing, GymAscend will assist the Customer, by appropriate technical and organizational measures and insofar as possible, in: (a) responding to requests from data subjects exercising their rights; (b) ensuring the security of processing; (c) notifying personal data breaches and conducting data protection impact assessments and prior consultations, where required.

8. Data subject requests

If GymAscend receives a request from a data subject relating to data processed on the Customer's behalf, it will, where legally permitted, direct the data subject to the Customer and will not respond directly except on the Customer's instructions.

9. Personal data breach

GymAscend will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, and will provide information reasonably available to assist the Customer in meeting its breach notification obligations.

10. Return or deletion

On termination of the Services, GymAscend will, at the Customer's choice, delete or return the personal data it processes on the Customer's behalf, and delete existing copies, unless retention is required by law. The Customer may request an export of its data as provided in the Agreement.

11. Audits

GymAscend will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and no more than once per year unless required by a supervisory authority.

12. International transfers

Where GymAscend transfers personal data outside the European Economic Area or the United Kingdom, it will ensure an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses or the UK equivalent, or another lawful safeguard.

13. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. General

This DPA is governed by the same law as the Agreement. Except as amended by this DPA, the Agreement remains in full force.

Annex 1: Description of processing

• Subject matter: provision of the GymAscend branded application and platform.
• Duration: the term of the Agreement, plus any period required for return or deletion of data.
• Nature and purpose: hosting, operating and maintaining the application; enabling member accounts, fitness features, classes, communications, AI features, and engagement analytics for the Customer.
• Types of personal data: account and identity data, profile and fitness data, membership data, usage and engagement data, AI interaction data, member content, and device and technical data.
• Categories of data subjects: the Customer's members and end users of the application, and the Customer's authorized staff users.

Annex 2: Technical and organizational measures

GymAscend maintains measures including: access controls and authentication; encryption of data in transit and, where appropriate, at rest; network and application security controls; regular backups; logging and monitoring; least-privilege access for personnel; vendor and sub-processor due diligence; and incident response procedures. These measures may be updated over time provided the level of protection is not reduced.