Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Lazy E Holdings LLC, a Texas limited liability company ("Processor," "we," "us," or "K9 ProTrain") and the customer who has agreed to this DPA ("Controller," "you," or "Customer") for the provision of the K9 ProTrain service (the "Services").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with providing the Services, and the parties are subject to Data Protection Laws.

This DPA is incorporated into and forms part of the K9 ProTrain Terms of Service (the "Agreement").

• "Controller" means the entity that determines the purposes and means of Processing Personal Data.
• "Data Protection Laws" means all applicable laws relating to the Processing of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, and other applicable data protection legislation.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Personal Data Breach" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Processor" means an entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any Processor engaged by the Processor to assist in Processing Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.

3.1 Controller Responsibilities

The Controller shall:

• Ensure it has a lawful basis for Processing Personal Data;
• Provide clear instructions to the Processor regarding the Processing;
• Comply with all applicable Data Protection Laws;
• Ensure Data Subjects are informed about the Processing;
• Obtain necessary consents where required;
• Respond to Data Subject rights requests.

3.2 Processor Responsibilities

The Processor shall:

• Process Personal Data only on documented instructions from the Controller;
• Ensure personnel are bound by confidentiality obligations;
• Implement appropriate technical and organizational security measures;
• Engage Sub-processors only with prior authorization;
• Assist the Controller with Data Subject rights requests;
• Assist with data protection impact assessments where required;
• Delete or return Personal Data at the end of the Services;
• Make available information to demonstrate compliance;
• Notify the Controller of any Personal Data Breach.

4.1 Subject Matter and Duration

The Processor will Process Personal Data for the duration of the Agreement to provide the K9 ProTrain Services as described in the Agreement and this DPA.

4.2 Nature and Purpose of Processing

Personal Data will be Processed for the following purposes:

• Providing dog training management services
• User authentication and account management
• Communication between trainers and pet parents
• Generating reports and certificates
• Payment processing (via Sub-processor)
• Customer support
• Service improvement and analytics

4.3 Types of Personal Data

The following categories of Personal Data may be Processed:

• Identification data (name, email, phone number)
• Account credentials (encrypted passwords)
• Professional information (credentials, business details)
• Pet information (dog profiles, training records)
• Communication data (messages, notes)
• Usage data (activity logs, preferences)
• Financial data (payment information via Stripe)
• Location data (GPS coordinates for walk tracking)

4.4 Categories of Data Subjects

• Facility owners and administrators
• Dog trainers and staff members
• Pet parents and dog owners
• Emergency contacts

The Processor implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

5.1 Technical Measures

• Encryption of data in transit (TLS 1.2+)
• Encryption of data at rest
• Secure password hashing (bcrypt)
• Multi-factor authentication support
• Regular security assessments and penetration testing
• Web application firewalls
• DDoS protection
• Automated vulnerability scanning
• Secure development practices

5.2 Organizational Measures

• Role-based access controls
• Principle of least privilege
• Employee security training
• Background checks for personnel with data access
• Confidentiality agreements
• Incident response procedures
• Business continuity planning
• Vendor security assessments

5.3 Security Certifications

Our infrastructure providers (Supabase, Vercel) maintain SOC 2 Type II certifications. Information about their security practices is available upon request.

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors, subject to the requirements in this Section.

6.2 Current Sub-processors

6.3 Sub-processor Changes

The Processor will notify the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object to a new Sub-processor by notifying the Processor within 14 days of receiving notice. If the parties cannot resolve the objection, the Controller may terminate the affected Services.

6.4 Sub-processor Obligations

The Processor ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

7.1 Assistance

The Processor will assist the Controller in responding to Data Subject requests, including requests for:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of Processing
• Data portability
• Objection to Processing

7.2 Response Process

If the Processor receives a Data Subject request directly, it will promptly notify the Controller unless prohibited by law. The Controller is responsible for responding to Data Subject requests.

8.1 Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's Personal Data.

8.2 Breach Information

The notification will include (to the extent known):

• Nature of the breach, including categories and approximate number of Data Subjects and records affected
• Contact details of the Processor's data protection contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8.3 Assistance

The Processor will cooperate with the Controller and take reasonable steps to assist in investigating and mitigating the breach.

9.1 Transfer Mechanisms

Personal Data may be transferred to and processed in the United States. For transfers from the EEA/UK/Switzerland, the Processor relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK transfers
• Swiss-approved SCCs for Swiss transfers

9.2 Standard Contractual Clauses

Where applicable, the parties agree to be bound by the Standard Contractual Clauses for the transfer of Personal Data to third countries (Commission Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference.

9.3 Supplementary Measures

The Processor implements the technical and organizational measures described in Section 5 as supplementary measures to ensure an adequate level of protection for transferred Personal Data.

10.1 Information and Audit

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

10.2 Audit Procedures

• Audits require at least 30 days' prior written notice
• Audits shall be conducted during regular business hours
• Auditors must sign confidentiality agreements
• Audits shall not unreasonably interfere with business operations
• The Controller bears the costs of audits

10.3 Third-Party Certifications

The Controller may satisfy audit requirements by reviewing third-party certifications, attestations, or audit reports provided by the Processor.

11.1 Retention Period

The Processor will retain Personal Data for the duration of the Agreement plus 90 days, unless a longer period is required by law or the Controller provides different instructions.

11.2 Return or Deletion

Upon termination of the Agreement or upon the Controller's request, the Processor will:

• Return Personal Data to the Controller in a commonly used format (JSON/CSV); and/or
• Delete all Personal Data, unless retention is required by law

11.3 Certification

Upon request, the Processor will certify in writing that it has deleted Personal Data in accordance with this Section.

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for:

• Breaches of confidentiality obligations
• Violations of Data Protection Laws to the extent such limitation is prohibited by law
• Fraud or willful misconduct

13.1 Governing Law

This DPA is governed by the laws specified in the Agreement, except that the Standard Contractual Clauses are governed as specified therein.

13.2 Order of Precedence

In case of conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters. The Standard Contractual Clauses prevail over any conflicting provisions.

13.3 Amendments

This DPA may be updated to reflect changes in Data Protection Laws. The Processor will provide notice of material changes. Continued use of the Services after changes constitutes acceptance.

13.4 Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions remain in full force and effect.

For questions about this DPA or data protection matters:

The following appendices form part of this DPA:

• Appendix A: Details of Processing (incorporated in Section 4)
• Appendix B: Technical and Organizational Measures (incorporated in Section 5)
• Appendix C: Sub-processor List (incorporated in Section 6)
• Appendix D: Standard Contractual Clauses (available upon request)

Complete appendices including the full text of Standard Contractual Clauses are available upon request by contacting legal@k9protrain.com.