Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SupaHit (“Processor”) and the VDojo customer (“Controller”) who operates a dojo using the VDojo platform. This DPA governs the processing of personal data that the Controller’s students, members, leads, and staff entrust to the Controller and that the Controller processes through the VDojo Service.

By using VDojo to manage your dojo, you agree to this DPA. Capitalized terms not defined herein have the meanings given in the Terms of Service and Privacy Policy.

1. Definitions

  • “Controller” means the VDojo customer (dojo owner/operator) who determines the purposes and means of processing personal data of their students, members, leads, and staff.
  • “Processor” means SupaHit, which processes personal data on behalf of the Controller through the VDojo platform.
  • “Personal Data” means any information relating to an identified or identifiable natural person that the Controller processes through VDojo.
  • “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
  • “Sub-processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), TDPSA (Texas), and other applicable US state privacy laws.

2. Scope and Purpose of Processing

2.1 Categories of Data Subjects

  • Students and members of the Controller’s dojo
  • Prospective students (leads) who have inquired about the dojo
  • Parents and legal guardians of minor students
  • Dojo staff members (managers, instructors)

2.2 Categories of Personal Data

  • Identity data: names, email addresses, phone numbers, profile photos
  • Student records: enrollment status, belt/rank progression, promotion history, program assignments
  • Attendance data: class check-ins, booking records, waitlist positions
  • Communication data: messages in dojo channels, email/SMS communication logs, announcements
  • Financial data: subscription status, billing references (actual payment card data is processed by Stripe and never stored by the Processor)
  • Health-adjacent data: injury severity levels shared by students who opt in (see Consumer Health Data Privacy Policy)
  • Lead/CRM data: lead status, source, activity logs, drip campaign enrollment
  • Waiver data: digital waiver signatures, signing timestamps, IP addresses
  • Training data (opt-in): training session summaries for students who enable training log sharing

2.3 Purpose

The Processor processes Personal Data solely for the purpose of providing the VDojo dojo management service to the Controller, including: student management, class scheduling, attendance tracking, belt/rank management, billing, communications, lead management, reporting, staffing intelligence, curriculum delivery, and related features as described in the Terms of Service.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (which are embodied in the Controller’s use of VDojo features), unless required to do so by applicable law, in which case the Processor will inform the Controller before processing (unless prohibited by law).
  • Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 6.
  • Assist the Controller in responding to data subject rights requests (access, correction, deletion, portability) through the VDojo platform’s built-in features and, where necessary, through direct support.
  • Assist the Controller in meeting its obligations regarding data breach notification, data protection impact assessments, and consultation with supervisory authorities, where applicable.
  • At the Controller’s choice, delete or return all Personal Data upon termination of the service, as described in Section 9.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 10.

4. Obligations of the Controller

The Controller shall:

  • Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process it.
  • Obtain all necessary consents from data subjects (students, members, parents, leads) as required by Applicable Data Protection Law before entering their data into VDojo.
  • Maintain and publish its own privacy policy that accurately describes its data processing practices, including its use of VDojo as a processor.
  • Use VDojo’s communication tools (email, SMS, drip campaigns) in compliance with CAN-SPAM, TCPA, and applicable electronic communications laws, including obtaining proper consent for SMS messages.
  • Notify the Processor promptly of any data subject requests that require the Processor’s assistance.
  • Ensure that its instructions to the Processor comply with Applicable Data Protection Law.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

  • Supabase, Inc. (San Francisco, CA, USA) — Database hosting, authentication, real-time subscriptions, file storage
  • Stripe, Inc. (San Francisco, CA, USA) — Payment processing (PCI-DSS Level 1 certified; processes payment card data directly)
  • Resend, Inc. (San Francisco, CA, USA) — Email delivery for transactional and dojo-to-member communications
  • Twilio, Inc. (San Francisco, CA, USA) — SMS delivery for dojo communications
  • Expo / 820 Labs, Inc. (Palo Alto, CA, USA) — Push notification delivery to mobile app users
  • Vercel, Inc. (San Francisco, CA, USA) — Web application hosting (VDojo web app)

5.2 Sub-processor Changes

The Processor will notify the Controller via email at least 30 days before adding or replacing a sub-processor. The Controller may object to the change within that 30-day period by contacting privacy@supahit.com. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services.

5.3 Sub-processor Obligations

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA. The Processor remains fully liable to the Controller for the acts and omissions of its sub-processors.

6. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

6.1 Technical Measures

  • Encryption in transit (TLS 1.2+/HTTPS for all connections)
  • Encryption at rest (AES-256 via Supabase infrastructure)
  • Row-level security (RLS) database policies ensuring data isolation between dojos
  • Role-based access control (RBAC) with three permission levels: owner, manager, instructor
  • Cryptographic password hashing (bcrypt via Supabase Auth)
  • Rate limiting on authentication and API endpoints
  • Input validation and sanitization on all user inputs
  • Magic-byte file validation for all uploads
  • Timing-safe comparisons for security-sensitive token operations
  • SECURITY DEFINER database functions enforcing data minimization (e.g., injury severity-only sharing)

6.2 Organizational Measures

  • Regular security audits of codebase and infrastructure
  • Principle of least privilege for all system access
  • Documented incident response procedures
  • Secure development practices including code review

7. Data Breach Notification

  • The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Controller’s Personal Data.
  • The notification shall include: (a) the nature of the breach, including the categories and approximate number of data subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) a contact point for further information.
  • The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • The Processor shall document all Data Breaches and make documentation available to the Controller upon request.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to data subject rights requests:

  • Access and portability: The Controller can export student, attendance, billing, and communication data through VDojo’s reporting features. For bulk data exports, contact support@supahit.com.
  • Correction: The Controller can correct student data directly through the VDojo interface (student profiles, belt records, lead records).
  • Deletion: The Controller can delete individual student records through VDojo. For bulk deletion or complete data erasure, contact privacy@supahit.com.
  • Restriction and objection: The Processor shall assist the Controller in implementing any restrictions on processing as required.

The Processor shall respond to Controller assistance requests within 10 business days.

9. Data Return and Deletion

9.1 During the Subscription

The Controller may export data at any time through VDojo’s built-in reporting and export features. Data is provided in standard formats (CSV, JSON).

9.2 Upon Termination

  • Upon termination or expiration of the VDojo subscription, the Controller has 30 days to export all data through the platform or by requesting a data export from support@supahit.com.
  • After the 30-day export window, the Processor shall delete all Controller Personal Data from active systems within 30 days.
  • Backup copies containing Controller data shall be purged within 90 days of deletion from active systems.
  • The Processor may retain data required by law (e.g., billing records for tax compliance) in accordance with the retention schedule in the Privacy Policy.

9.3 Student Data Continuity

Students who have their own SupaHit accounts retain their personal training data (sessions, injuries, goals, social content) independently of the dojo’s subscription. Termination of a VDojo subscription does not delete a student’s personal SupaHit account data.

10. Audits

  • The Processor shall make available to the Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA.
  • The Controller may conduct or commission an audit of the Processor’s compliance with this DPA, with reasonable advance notice (at least 30 days), during normal business hours, and no more than once per year.
  • The Controller shall bear the costs of any audit it initiates. The audit shall not unreasonably disrupt the Processor’s operations.
  • The Processor may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation from its sub-processors.

11. International Transfers

All Personal Data is stored and processed in the United States by the Processor and its sub-processors. For Controllers located in the European Economic Area (EEA), United Kingdom, or Switzerland:

  • Transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914), which are incorporated by reference into this DPA. Module Two (Controller to Processor) applies.
  • Where applicable, transfers may also rely on sub-processors’ certification under the EU-US Data Privacy Framework.
  • The Processor shall promptly inform the Controller if it becomes aware that it can no longer comply with the SCCs or applicable transfer mechanisms.

12. CCPA/CPRA Service Provider Terms

To the extent that the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to the Controller’s data:

  • The Processor acts as a Service Provider as defined under CCPA/CPRA.
  • The Processor shall not sell or share (as defined by CCPA/CPRA) the Controller’s Personal Data.
  • The Processor shall not retain, use, or disclose Personal Data for any purpose other than providing the VDojo service as specified in this DPA and the Terms of Service.
  • The Processor shall not combine Personal Data received from the Controller with data received from other sources, except as permitted by CCPA/CPRA for service provider activities.
  • The Processor certifies that it understands its obligations under CCPA/CPRA and will comply with them.

13. Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of Applicable Data Protection Law to the extent such limitation is prohibited by law.

14. Term and Termination

This DPA takes effect when the Controller begins using VDojo and remains in effect for the duration of the Controller’s VDojo subscription. The obligations regarding data return (Section 9), confidentiality, and audit rights survive termination.

15. Amendments

The Processor may update this DPA to reflect changes in Applicable Data Protection Law or processing practices. Material changes will be communicated to the Controller via email at least 30 days before taking effect. Continued use of VDojo after the effective date constitutes acceptance. If the Controller does not agree with the changes, it may terminate the subscription before the changes take effect.

16. Contact

For questions about this DPA or to exercise any rights under it: