Data Processing Addendum
- Effective:
- June 1, 2026
This Data Processing Addendum (“DPA”) supplements the Terms of Service and/or Cloud Service Agreement (the “Agreement”) between MySummitKeep LLC, a Florida limited liability company (“Processor” or “MySummitKeep”), and the entity accepting or subject to the Agreement (“Controller” or “Customer”). This DPA sets forth the terms governing Processor’s Processing of Personal Data on behalf of Controller.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person Processed by Processor on behalf of Controller through the Service.
- “Sensitive Personal Data” means a category of Personal Data afforded heightened protection under applicable law, including biometric data, precise geolocation, account credentials, and personal information of children under thirteen (13). The Service does not currently Process health information or ePHI; if and when health-record functionality is added, that data will also be Sensitive Personal Data.
- “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.
- “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed.
- “Sub-processor” means a third party engaged by Processor to Process Personal Data on behalf of Controller.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Processor.
2. Scope and Roles
Controller determines the purposes and means of Processing. Processor Processes Personal Data solely on behalf of Controller and in accordance with Controller’s documented instructions, including those reflected in the Agreement and the Service’s standard configurations.
The categories of Personal Data, Data Subjects, and the nature and purpose of Processing are described in Annex A.
3. Processor Obligations
3.1 Instructions
Processor shall Process Personal Data only in accordance with Controller’s documented instructions, unless required by applicable law. If Processor believes an instruction infringes applicable data protection law, Processor shall promptly notify Controller.
3.2 Confidentiality
Processor shall ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality.
3.3 Security
Processor shall implement and maintain appropriate technical and organizational measures, described in Annex B, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems.
- Regular testing, assessing, and evaluating the effectiveness of security measures.
- Capability to restore access to Personal Data in a timely manner in the event of a physical or technical incident.
3.4 Data Subject Rights
Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) by making available appropriate self-service tools and, where reasonably required, providing assistance within ten (10) business days of a written request from Controller.
3.5 Breach Notification
Processor shall notify Controller of a Personal Data Breach without undue delay and in any event within forty-eight (48) hours after becoming aware of it. The notification shall include, to the extent available:
- The nature of the breach.
- Categories and approximate number of Data Subjects and records affected.
- Likely consequences.
- Measures taken or proposed to mitigate.
- Contact information for additional follow-up.
Processor shall provide Controller with information reasonably necessary for Controller to meet its notification obligations under applicable law, including state breach notification laws (e.g., Florida Information Protection Act, California Civil Code § 1798.82, NY SHIELD Act). Where the Personal Data involved is ePHI, the Business Associate Agreement governs and its breach-notification timelines apply in addition to this DPA.
3.6 Data Protection Impact Assessments
Processor shall provide reasonable assistance to Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to Processor.
4. Sub-processors
4.1 General Authorization
Controller provides general written authorization for Processor to engage Sub-processors, subject to the conditions in this Section 4.
4.2 Current Sub-processors
A current list of Sub-processors is published at https://www.mysummitkeep.com/sub-processors. The list is reproduced in Annex C as of the effective date of this DPA.
4.3 Notice of Changes
Processor will notify Controller of any intended changes to Sub-processors (addition or replacement) at least fifteen (15) days before the change takes effect, by email to the Customer’s account administrator and by updating the public Sub-processor list.
4.4 Objection
Controller may object to the addition or replacement of a Sub-processor within fifteen (15) days of notice on reasonable data-protection grounds. If Controller objects, the Parties shall work in good faith to resolve. If resolution is not reached within thirty (30) days, Controller may terminate the affected subscription and receive a refund of pre-paid, unused fees.
4.5 Flow-Down
Processor shall impose written obligations on each Sub-processor that are no less protective than those set forth in this DPA, including obligations regarding security, confidentiality, sub-processor flow-down, and breach notification.
4.6 Liability
Processor remains liable to Controller for the acts and omissions of its Sub-processors.
5. Data Transfers
5.1 Primary Processing Location
Personal Data shall be Processed within the United States.
5.2 Cross-Border Transfers
Where Processor or a Sub-processor Processes Personal Data outside the United States, Processor shall ensure an appropriate transfer mechanism is in place, including:
- EU/EEA Personal Data: the European Commission’s Standard Contractual Clauses (“SCCs”) (Module 3, controller-to-processor) of 4 June 2021, hereby incorporated by reference.
- UK Personal Data: the UK International Data Transfer Addendum to the SCCs, hereby incorporated by reference.
- Swiss Personal Data: the FDPIC-approved version of the SCCs.
Processor shall make a transfer impact assessment available to Controller on request.
6. Audit Rights
6.1 Reports
Processor will make available to Controller, on request and no more frequently than once per year, summary information from third-party audits or certifications relevant to the Service (e.g., SOC 2 Type II reports, when issued).
6.2 On-Site Audits
If summary reports are insufficient to demonstrate compliance with this DPA, Controller may, on at least thirty (30) days’ prior written notice and no more than once per year, conduct or have conducted by a mutually agreed independent auditor an on-site audit of Processor’s facilities and records relevant to this DPA. Audits shall be conducted during regular business hours, subject to Processor’s safety, security, and confidentiality policies, and at Controller’s expense.
6.3 Regulatory or Breach-Driven Audits
The annual frequency limit does not apply to audits required by a supervisory authority or reasonably necessary following a confirmed Personal Data Breach.
7. Liability
The liability of each Party under this DPA is subject to, and forms part of, the limitations and exclusions in the Agreement. Nothing in this DPA increases or decreases the aggregate liability cap set forth in the Agreement.
8. Return and Deletion of Data
Upon termination of the Agreement, Processor shall, at Controller’s election: (a) return all Personal Data to Controller in a commonly used, machine-readable format using the Service’s export tools within thirty (30) days; or (b) delete all Personal Data from its active systems within sixty (60) days, subject to backup retention schedules described in Annex B and any legal hold. Processor shall certify deletion on request.
9. Order of Precedence
In the event of conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls. In the event of conflict between this DPA and the Business Associate Agreement with respect to ePHI, the Business Associate Agreement controls.
Annex A: Details of Processing
Categories of Data Subjects: Scoutmasters, Assistant Scoutmasters, troop committee members, parents and legal guardians, scouts (including minors under thirteen), council administrators, prospective customers.
Categories of Personal Data: Names, email addresses, phone numbers, dates of birth, BSA member IDs, home addresses, advancement records, merit badge progress, camping records, service hours, event attendance, permission-slip responses, payment records (processor tokens only — no full payment-card numbers), financial-account information obtained via Plaid when a unit treasurer links a bank account (account/routing details, balances, transactions), support correspondence.
Categories of Sensitive Personal Data: Account log-in credentials. The Service does not currently Process health information, ePHI, biometric data, or precise geolocation. If and when health-record functionality is enabled, the related categories will be added to this Annex by amendment.
Nature and Purpose of Processing: Providing the Service, including troop management, advancement tracking, event planning, communication facilitation, payment processing, financial-account reconciliation (via Plaid, when a unit treasurer links a bank account), and reporting.
Duration of Processing: For the duration of the Agreement, plus the data-retention periods specified in the Privacy Policy and Children’s Privacy Policy.
Annex B: Technical and Organizational Measures
| Domain | Measure |
|---|---|
| Access control | Role-based access; multi-factor authentication for administrators; least-privilege principle |
| Encryption | TLS 1.2+ in transit; AES-256 at rest |
| Network security | WAF, DDoS protection, segmented networks, restricted egress |
| Application security | Secure SDLC, dependency scanning, periodic penetration testing |
| Logging and monitoring | Centralized audit logging; access to children’s records is logged; tamper-resistant storage |
| Backups | Encrypted backups in U.S. regions; retention ≤90 days |
| Personnel | Background checks where permitted by law; confidentiality obligations; annual security training |
| Vendor management | Written sub-processor agreements with flow-down obligations; annual vendor review |
| Incident response | Written incident-response plan; periodic tabletop exercises; defined notification timelines |
| Business continuity | Documented BCP/DR plan; periodic recovery tests |
Annex C: Approved Sub-processors (as of effective date)
| Sub-processor | Service provided | Location | Personal Data category |
|---|---|---|---|
| Microsoft Azure (Azure SQL, Azure Storage, App Service) | Cloud hosting, database, application runtime | United States | All categories |
| Microsoft Azure Communication Services | SMS and email delivery | United States | Mobile phone numbers, email addresses, message content |
| Stripe, Inc. | Subscription payment processing | United States | Billing information, payment-card tokens |
| Plaid Inc. | Bank-account verification and financial-account linking | United States | Financial account information (account/routing details, balances, transactions) |
| Microsoft Clarity (marketing site only) | Session replay, heatmaps | United States | Marketing-site interaction data (no signed-in users) |
| Google Analytics 4 (marketing site only) | Aggregate web analytics | United States | Marketing-site interaction data (no signed-in users) |
| Meta Platforms, Inc. (Meta Pixel — marketing site only, with consent) | Ad measurement and audience building for Meta/Facebook/Instagram ad campaigns | United States | Marketing-site interaction data (IP address, page URL, browser identifiers) — only after user consents to “Advertising” category |
The authoritative, current list is maintained at https://www.mysummitkeep.com/sub-processors.