Legal
Data Processing Agreement
Last updated: April 17, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Skor Systems ("Skoreboard," "we," "us") and the business entity that agreed to Skoreboard's Terms of Service ("Customer," "you"). It governs our processing of personal information relating to your employees, contractors, and any other individuals whose data you upload or generate through the Skoreboard services (collectively, "Service Data").
1. Roles of the Parties
Customer is the "Business" (CCPA) / "Controller" (common terminology) for Service Data. Skoreboard is the "Service Provider" (CCPA §1798.140(ag)) / "Processor." Skoreboard will process Service Data only on documented instructions from Customer and solely as necessary to provide the services described in the Terms.
2. Scope & Purpose
Skoreboard will process Service Data for the following purposes only: operating the staff performance tracking platform, delivering scoreboards, processing e-signatures for compliance documents, generating analytics requested by Customer, sending transactional and policy-acknowledgment emails, and meeting legal obligations. Skoreboard will not "sell" or "share" Service Data within the meaning of CCPA §1798.140(ad) / §1798.140(ah). Skoreboard will not combine Service Data with data from other sources except to provide the Services or comply with law.
3. Categories of Service Data
- Identifiers (name, email, phone, internal user ID)
- Employment-related information (role, employment type, hours, shift assignments, performance scores, task completions, policy acknowledgments)
- Technical identifiers (IP address, user-agent, timestamps for audit + e-signature purposes)
- Authentication artifacts (password hashes — never cleartext; TOTP secrets — encrypted at rest)
4. Security Measures
Skoreboard maintains the following controls:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 for database storage via Neon)
- Role-based access control; least-privilege within Skoreboard
- Multi-factor authentication for Skoreboard staff with production access
- Centralized audit logging of login, password change, 2FA events, role changes, policy signing, billing events, and data exports
- Account lockout after 10 failed login attempts (15-minute cooldown)
- Vulnerability scanning via automated dependency audits; periodic security code review
- HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy)
5. Sub-processors
Skoreboard engages the following sub-processors. See Privacy Policy §5 for the live list with regions.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting, CDN | US (iad1) |
| Neon Inc. | Postgres database host | US |
| Stripe Inc. | Payment processing | US |
| Twilio SendGrid Inc. | Transactional email | US |
| Cloudinary Ltd. | Image hosting (avatars) | US |
Skoreboard will notify Customer of any proposed addition or replacement of a sub-processor at least 15 days before the change takes effect, by email to the billing contact on file. Customer may object in writing within 10 days; Skoreboard will work in good faith to address objections.
6. Data Subject Rights Assistance
When Customer receives a verifiable request from an individual exercising rights under CCPA/CPRA or comparable US state privacy law (access, deletion, correction, opt-out), Skoreboard will provide reasonable assistance, including exporting that individual's data from Customer's tenant on request. Self-service export and deletion tools are also available to individual users at /staff/profile.
7. Breach Notification
Skoreboard will notify Customer of any confirmed personal information security breach involving Service Data without undue delay and in any event within 72 hours of confirmation. Notification will include: the nature and scope of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.
8. Data Retention & Return
On termination of the subscription, Customer's Service Data is retained for 30 days to facilitate account reactivation, then purged. On written request, Customer may receive a machine-readable export of its tenant's Service Data within 15 business days of the request.
Audit logs are retained for up to 2 years. Payment records are retained as required by US tax law (typically 7 years). Deleted user accounts are anonymized within 30 days of the deletion request.
9. Audit Rights
Skoreboard will make available to Customer on reasonable request documentation sufficient to demonstrate compliance with this DPA, including sub-processor lists, security control summaries, and (when available) independent attestation reports. On at least 30 days' written notice, Customer may conduct or instruct an auditor (subject to reasonable confidentiality obligations) to audit Skoreboard's facilities and records to the extent strictly necessary to verify compliance, at Customer's expense.
10. Governing Law
This DPA is governed by the laws of the State of California, without regard to its conflict-of-laws principles. Disputes will be resolved as set out in the Terms of Service.
11. Contact
Questions about this DPA or to initiate a sub-processor objection, data subject request, or audit: hello@skorops.com
Skor Systems, San Ysidro, CA 92143, USA