DRAFT — pending legal review, not legally binding

This document is an internal working draft. It has not been reviewed or approved by qualified legal counsel and must not be relied upon as a binding agreement.

Data Processing Agreement

Last updated: June 9, 2026

1. Parties and scope

This Data Processing Agreement (“DPA”) forms part of the agreement between a federation or refereeing body (the “Customer” or “Controller”) and OK Factory, operator of Referee.Observer (the “Processor”). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the service. It supplements and is incorporated into our Terms of Service.

2. Roles of the parties

For personal data uploaded or managed by the Customer through the platform (including referee profiles, appointments, and performance records), the Customer is the data controller and OK Factory is the data processor.

Where OK Factory determines the purposes and means of processing (for example, operating its own public statistics or improving the platform), OK Factory acts as an independent controller, as described in our Privacy Policy.

3. Subject matter and details of processing

  • Subject matter: provision of referee tracking, analytics, wearable, and AI coaching features.
  • Duration: for the term of the agreement and any retention period thereafter.
  • Nature and purpose: hosting, storing, analysing, and displaying referee data.
  • Categories of data subjects: referees (including minor referees), federation staff, and assessors.
  • Categories of personal data: identity and contact data, license and appointment data, performance metrics, and—where consented—wearable health data including HRV and sleep.
  • Special-category data: health and physiological data processed only on the basis of explicit consent obtained by the Controller or via the platform.

Publicly available sources. Separately from data the Controller uploads or manages, referee and match-official information published on the platform — including official names, appointments, match crews, and aggregate statistics — is compiled from publicly available sources (such as official federation announcements, competition records, and published match reports). The Processor acts as an independent controller for that public reference data, as set out in our Privacy Policy, and it does not form part of the Controller’s instructed processing under this DPA.

4. Processor obligations

The Processor shall:

  • Process personal data only on the Controller’s documented instructions.
  • Ensure persons authorised to process data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Section 6).
  • Assist the Controller with data-subject requests and security obligations.
  • Notify the Controller without undue delay upon becoming aware of a personal data breach.
  • Delete or return personal data at the end of the engagement, as instructed.
  • Make available information necessary to demonstrate compliance and allow audits.

5. Sub-processors

The Controller authorises the Processor to engage the following sub-processors. The Processor remains responsible for their performance and imposes equivalent data-protection obligations on each.

  • Vercel — hosting and edge infrastructure
  • Neon — database hosting (EU region)
  • Google — authentication; Gemini AI processing
  • DeepSeek — AI coach processing
  • Garmin, Polar, Strava — wearable and fitness data integrations

We will inform the Controller of intended changes to sub-processors and give an opportunity to object.

6. Security measures

The Processor maintains measures appropriate to the risk, including encryption in transit (HTTPS), hashing of credentials, signed session tokens, access controls based on least privilege, EU-region data storage, logging, and regular review of security practices.

7. Wearable and AI data

Wearable health data (including HRV and sleep) and AI coach interactions are processed only where the relevant data subject has given explicit consent. The Processor minimises and, where feasible, pseudonymises data sent to AI providers and instructs providers not to use such data for model training where controls allow.

8. Minor referees

Where the Controller processes data of referees under 18, the Controller is responsible for obtaining and recording verifiable parental or guardian consent. The Processor will support the exercise of consent withdrawal and deletion requests relating to minor referees.

9. International transfers

Where personal data is transferred outside the EEA (for example, to AI providers), the parties rely on the European Commission’s Standard Contractual Clauses and, where applicable, adequacy decisions, together with appropriate supplementary measures.

10. Data subject rights and assistance

Taking into account the nature of processing, the Processor assists the Controller by appropriate technical and organisational measures in fulfilling requests to exercise data subject rights, and in meeting obligations relating to security, breach notification, and data protection impact assessments.

11. Return and deletion

Upon termination of the service, the Processor will, at the Controller’s choice, delete or return all personal data and delete existing copies, unless retention is required by law.

12. Governing law

This DPA is governed by the laws of Italy and the GDPR, and disputes are subject to the exclusive jurisdiction of the courts of Italy, consistent with our Terms of Service.

13. Contact

For data-processing questions or to execute a signed DPA, contact us at legal@referee.observer.