Legal
Data Processing Addendum
Last updated May 12, 2026
Purpose and scope
This Data Processing Addendum (“DPA”) forms part of the agreement between White Sports Ventures LLC (“WSV”, “Processor”) and the customer (“Controller”, “you”) for use of PCI (pci.whitesportsventures.com). It sets out the terms under which WSV processes Personal Data on your behalf in compliance with the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”).Roles
You are the Controller of Personal Data you submit to PCI (your contact info, your company's financial data, your operator responses). WSV is the Processor and acts only on your documented instructions, which are the product functionality as described in our product documentation and this DPA. Where CCPA/CPRA applies, WSV acts as a Service Provider and is prohibited from selling or sharing Personal Data for cross-context behavioral advertising.Categories of data
WSV processes the following categories on your behalf:
- Identifiers: name, email address, company name, role title, hashed passwords (via Neon Auth).
- Commercial information: profit & loss, accounts receivable aging, revenue by business line, vendor spend, asset utilization, CRM counts.
- Billing information: Stripe customer ID, subscription status, billing email. Card numbers are never handled by WSV.
- Usage information: agent run history, alert history, AI chat transcripts, uploaded files.
- Technical information: IP address, browser user-agent, reCAPTCHA scores.
Categories of data subjects
- Your employees and authorized users of PCI.
- Your customers, vendors, and business counterparties, where referenced inside financial records you upload or connect.
Processing purposes
WSV processes Personal Data solely to: (a) provide the PCI diagnostic and monitoring agents, (b) operate the subscription and billing, (c) send transactional emails relating to the service, (d) comply with legal obligations, and (e) improve product quality using aggregate or de-identified data only.Sub-processors
WSV engages the following sub-processors. By using PCI you authorize these relationships.
- Stripe, Inc. — payment processing (PCI-DSS Level 1). US, EU-SCC.
- Neon, Inc. — managed PostgreSQL (application data, auth). US.
- Supabase, Inc. — managed PostgreSQL for the public lead-intake form (segment, company, revenue band, qualification answers, contact details). US.
- Cloudflare, Inc. — edge network and Workers (agent compute). Global, EU-SCC.
- Anthropic, PBC — AI inference for agents and reports. US. API inputs not used for training.
- OpenAI, Inc. — AI inference for adversarial debate in reports. US. API inputs not used for training.
- Vercel, Inc. — application hosting and Blob storage. US, EU-SCC.
- Resend, Inc. — transactional email. US.
- Google LLC (reCAPTCHA) — bot protection on public forms. US.
- Intuit Inc. / Xero Ltd. — accounting data OAuth connectors. Only when you choose to connect.
- Brave Software, Inc. — web search for certain agents (Benchmark Intelligence, Deal Prep, Lead Qualifier, Owned Channel Intelligence). US.
- Sentry (Functional Software, Inc.) — error monitoring. US.
WSV gives 30 days' advance notice of any new or replacement sub-processor by updating this list. You may object in writing within that period; if the objection cannot be resolved, you may terminate the subscription and receive a pro-rated refund.
International transfers
Personal Data originating in the EEA, UK, or Switzerland may be transferred to the United States and processed by sub-processors listed above. Transfers rely on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where the sub-processor is certified. On request, WSV will make the executed transfer instruments available for your records.Security measures
- TLS 1.2+ in transit for all API traffic; HSTS enforced on pci.whitesportsventures.com.
- Storage-layer encryption at rest provided by our managed infrastructure providers (Neon PostgreSQL, Supabase, Vercel Blob, Cloudflare Workers KV and Durable Objects). Application-level field encryption is applied to OAuth tokens; other Personal Data and financial records rely on provider-managed disk encryption.
- OAuth tokens for QuickBooks/Xero are additionally encrypted at the application layer using AES-256-GCM with HKDF-derived per-subscriber keys before being written to Cloudflare Durable Object storage.
- reCAPTCHA v3 on registration and contact forms; rate limiting on authenticated endpoints.
- Subscription audit log capturing every state change for dispute resolution.
- Role-based access: production database access limited to named WSV engineers.
- Content Security Policy, X-Frame-Options, and HSTS headers on all application responses.
- Dependency vulnerability scanning via automated tooling; production secrets stored in Vercel environment and Cloudflare Workers secrets.
Data subject rights
You can fulfill data subject requests using the following self-service endpoints, or by emailing us:
- Access & portability:
Account → Export my datareturns a ZIP of all Personal Data we hold, within 30 days (usually minutes). - Deletion / erasure:
Account → Delete my accountsoft-deletes within seconds and hard-purges after a 30-day grace period. - Rectification, restriction, objection: email jeremiah@whitesportventures.com. We respond within 30 days.
- CCPA “Do Not Sell or Share My Personal Information”: WSV does not sell Personal Data and does not share it for cross-context behavioral advertising. No action is required on your part.
Data retention
- Active accounts: retained for the life of the subscription plus 90 days after cancellation to support reactivation.
- Deleted accounts: soft-deleted on request, hard-purged after 30 days.
- Audit log: subscription state changes and data-export history retained for 7 years for regulatory purposes, with
user_idpreserved even after account deletion (legitimate interest — compliance, tax, fraud). - Transactional emails: delivery metadata retained 90 days.
Breach notification
WSV will notify you without undue delay and in any event within 72 hoursof becoming aware of a Personal Data Breach affecting your data. The notice will include the nature of the breach, categories and approximate number of records affected, likely consequences, and remedial measures taken or proposed.Audit rights
Upon reasonable written notice and no more than once per year, you may request a copy of WSV's security practices summary, sub-processor registry, and the latest penetration test or third-party audit summary where one exists. On-site audits are not available; equivalent assurance can be provided via documentation and written Q&A.Return or deletion after termination
On termination of the subscription, you may export your data via the self-service endpoint at any time before hard-purge. After the 30-day grace period, WSV deletes all Personal Data from live systems; derivative aggregate statistics and the audit log (see Retention) may persist. Backups containing Personal Data are overwritten within 90 days of deletion.Contact
Data protection queries and notices under this DPA: jeremiah@whitesportventures.com
White Sports Ventures LLC • See also our Privacy Policy and Terms of Service.