Parties:

• Asia Trade, operating as an Individual Entrepreneur (IP) in Kazakhstan and in Hungary (the “Processor”).

• The customer using the Processor’s services (the “Controller”).

Together referred to as the “Parties.”

1. Subject Matter and Duration

1.1. This Data Processing Agreement (DPA) governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the basketball statistics desktop application and league management website (the “Services”).

1.2. Processing shall continue for the duration of the Controller’s use of the Services and until deletion of all Personal Data in accordance with this Agreement.

2. Roles and Responsibilities

2.1. The Controller determines the purposes and means of processing Personal Data.

2.2. The Processor processes Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by law.

2.3. The Controller ensures that it has a lawful basis for all Personal Data uploaded into the Services, including data of minors, and that necessary consents or approvals are obtained.

3. Categories of Data and Processing

3.1. The Processor may process Personal Data including, but not limited to: names, surnames, dates of birth, photos, emails, phone numbers, social media links, device identifiers, league details, and other data necessary for the performance of the Services.

3.2. Processing activities include: storage, hosting, access control, backup, analytics, and technical support.

4. Sub-processors

4.1. The Controller authorizes the Processor to engage sub-processors as necessary for the provision of Services. Current sub-processors include:

• Amazon Web Services (AWS), Frankfurt (EU) – hosting and storage

• Google Gmail – email communication

4.2. The Processor may add or replace sub-processors by providing notice to the Controller. The Controller may object in writing within 14 days.

5. International Transfers

5.1. Data is primarily processed in the EU (Frankfurt) and may be processed in Kazakhstan.

5.2. Where data is transferred outside the EEA, the Processor shall ensure adequate safeguards in accordance with GDPR Chapter V.

6. Security Measures

6.1. The Processor shall implement appropriate technical and organizational measures, including but not limited to:

• Restricted access to systems and data

• Secure hosting on AWS

• Weekly backups retained for up to 12 months

6.2. The Controller acknowledges that no system is completely secure.

7. Data Breach Notification

7.1. The Processor shall notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data breach.

7.2. The Processor shall provide all relevant details to support the Controller’s legal obligations.

8. Data Subject Rights

8.1. The Processor shall assist the Controller, to the extent technically possible, in responding to data subject requests (access, deletion, correction, portability).

8.2. The Controller remains responsible for handling and responding to such requests.

9. Deletion and Return of Data

9.1. Upon termination of Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless retention is required by law.

10. Audits

10.1. The Processor shall make available information necessary to demonstrate compliance and allow for audits by the Controller or a third-party auditor mandated by the Controller.

10.2. Audits shall not unreasonably disrupt the Processor’s business operations.

11. Governing Law and Jurisdiction

11.1. This DPA shall be governed by:

• GDPR and Hungarian law for Controllers established in the EU

• Kazakh law, with GDPR compliance obligations where applicable, for Controllers established in Kazakhstan

11.2. In the event of conflict, GDPR provisions shall prevail for EU data subjects.

12. Liability

12.1. Each Party shall be liable for the damages caused by its breach of this DPA or applicable data protection laws.

12.2. The Controller remains responsible for the legality of Personal Data uploaded into the Services.

13. Miscellaneous

13.1. Amendments must be in writing and accepted electronically by the Controller (including via checkbox acceptance in the Services).

13.2. If any provision of this DPA is held invalid, the remainder shall remain in effect.