1. Definitions
In this Data Processing Agreement ("DPA"), the following terms have the meanings assigned in POPIA unless otherwise specified:
- "Personal Information" — information relating to an identifiable, living, natural person or juristic person, as defined in POPIA Section 1
- "Processing" — any operation performed on Personal Information, including collection, receipt, recording, organisation, storage, updating, retrieval, use, distribution, deletion, or destruction
- "Responsible Party" — the Club; the entity that determines the purpose and means of processing Personal Information
- "Operator" — Sentinel SportsTech (Pty) Ltd; processes Personal Information on behalf of the Responsible Party
- "Data Subject" — a player, coach, administrator, or other natural person whose Personal Information is processed via the Platform
- "Sub-processor" — a third party engaged by Sentinel to process Personal Information in connection with providing the Platform
- "Security Incident" — any accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to Personal Information
2. Scope of Processing
2.1 Subject matter
This DPA governs Sentinel's processing of Personal Information on behalf of the Club in connection with providing the Sentinel Football Hub platform under the Terms of Service.
2.2 Categories of Personal Information processed
- Player personal information: names, dates of birth, position, physical metrics, performance data, attendance records, coaching notes and ratings
- Coach and administrator personal information: names, email addresses, contact numbers, role assignments
- Media files: player profile images and video footage uploaded by the Club
- Match and session data associated with identified individuals
2.3 Categories of Data Subjects
- Players registered in the Club's squad (including minor players)
- Coaches and staff accounts created by the Club Admin
- Scouted players added to the Club's scouting database
2.4 Purpose of processing
Sentinel processes Personal Information solely for the purpose of providing the Platform to the Club, including: storing and displaying squad data, generating match and training reports, providing analytics features, and delivering all other platform features included in the Club's subscription tier.
2.5 Duration
This DPA remains in effect for the duration of the Club's subscription. On termination or expiry of the subscription, it remains in effect until all Personal Information has been deleted or returned in accordance with Section 9.
3. Sentinel's Obligations as Operator
Sentinel will, in its capacity as Operator:
- Process only on instruction: Process Personal Information only in accordance with the Club's documented instructions (which include these Terms and normal use of the Platform). If Sentinel is required by law to process data in any other way, it will inform the Club unless legally prohibited from doing so.
- Confidentiality: Ensure that authorised personnel who have access to Personal Information are under appropriate confidentiality obligations and receive relevant data protection awareness training.
- Security: Implement the technical and organisational security measures described in Section 6.
- Sub-processors: Only engage sub-processors in accordance with Section 5, and remain liable for sub-processor acts and omissions to the same extent as if Sentinel performed the processing itself.
- Data subject rights: Assist the Club in responding to data subject rights requests in accordance with Section 7.
- Security incidents: Notify the Club in accordance with Section 8 in the event of a Security Incident.
- Deletion: Delete or return all Personal Information in accordance with Section 9 at the end of the DPA term.
- Audit assistance: Provide the Club with reasonable information necessary to demonstrate compliance with this DPA, and cooperate with audits conducted by the Club or its mandated auditor, subject to reasonable notice and confidentiality obligations.
4. Club's Obligations as Responsible Party
The Club confirms that it will, in its capacity as Responsible Party:
- Ensure there is a lawful basis for processing all Personal Information entered into the Platform, including obtaining all necessary consents from data subjects or their "competent persons" (parents/guardians for players under 18)
- Inform data subjects about the processing of their Personal Information in accordance with POPIA's openness and transparency conditions
- Ensure the Personal Information provided to Sentinel for processing is accurate and, where necessary, kept up to date
- Respond to requests from data subjects for access, correction, or deletion of their Personal Information within 30 days
- Comply with all applicable data protection laws in its capacity as Responsible Party
- Register its own Information Officer with the SA Information Regulator if required
- Notify Sentinel promptly if the Club becomes aware of a Security Incident affecting data processed via the Platform
The Club bears full responsibility for the lawfulness of the processing it instructs Sentinel to perform. Sentinel is not responsible for determining whether the Club has obtained appropriate consents from players, parents, or guardians. If Sentinel processes data on an instruction that is later found to be unlawful, the Club indemnifies Sentinel against any resulting liability.
5. Sub-processors
The Club authorises Sentinel to engage the following sub-processors:
| Sub-processor | Location | Processing activity |
|---|
| Supabase Inc | European Union (eu-west-1) | Database storage, authentication, edge function execution, file storage |
| Vercel Inc | United States / CDN | Static asset hosting, page delivery, CDN caching |
| Cloudflare Inc | United States / CDN | CDN delivery of Font Awesome assets (no personal data transmitted) |
Sentinel will provide at least 14 days' notice to the Club before engaging any new sub-processor or making material changes to an existing sub-processor's role. The Club may object to a new sub-processor within 14 days of notice; if the objection cannot be resolved, either party may terminate the subscription without penalty.
Sentinel requires each sub-processor to agree to data protection obligations that are equivalent to those in this DPA. Sentinel remains fully liable for the acts and omissions of its sub-processors as if Sentinel had performed those acts and omissions directly.
6. Security Measures
Sentinel implements and maintains the following technical and organisational security measures, appropriate to the risks presented by the processing:
Technical measures
- Encryption in transit: All data is transmitted over TLS 1.2 or higher. All API endpoints enforce HTTPS.
- Encryption at rest: Database data and file storage are encrypted at rest using AES-256.
- Authentication: Platform authentication uses Supabase Auth with secure JWT tokens. Passwords are hashed using bcrypt and never stored in plaintext.
- Data isolation: Row-level security (RLS) policies on all database tables ensure each club can only access its own data.
- Access control: Production database and infrastructure access is restricted to authorised Sentinel personnel. Access is reviewed regularly.
- File access: Uploaded files are served via signed URLs that expire after a configurable period. Direct public access to storage buckets is disabled.
- Security headers: The Platform implements security headers including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security.
Organisational measures
- Data protection awareness for all personnel with access to personal information
- Principle of least privilege — access is granted only as necessary for the role
- Regular security reviews of codebase and infrastructure configuration
- Incident response procedure for Security Incidents (see Section 8)
7. Data Subject Rights
POPIA grants data subjects rights including access, correction, deletion, and objection. Because the Club is the Responsible Party for player data, data subjects (players, parents, coaches) should direct their rights requests to the Club in the first instance.
Sentinel's assistance obligations
Sentinel will provide reasonable technical assistance to the Club to fulfil data subject rights requests, including:
- Confirming whether specific personal information is held on the platform
- Providing a data export in a commonly used format when requested
- Deleting personal information for a specific data subject on the Club's documented instruction
- Correcting inaccurate personal information on the Club's documented instruction
Sentinel will respond to Club requests for data subject assistance within 15 business days. For requests requiring significant data extraction or processing, we may request a reasonable additional period of up to 15 further business days with notice to the Club.
Requests directed directly to Sentinel
If a data subject contacts Sentinel directly with a rights request regarding club-managed player data, Sentinel will redirect the data subject to the Club and notify the Club of the request within 5 business days, without processing the request directly unless instructed by the Club.
8. Breach Notification
8.1 Sentinel's notification obligations
In the event of a Security Incident involving Personal Information processed under this DPA, Sentinel will:
- Notify the Club without undue delay and in any event within 48 hours of becoming aware of the Security Incident
- Provide, to the extent known at the time of notification: a description of the nature of the incident; the categories and approximate number of data subjects affected; the categories and approximate number of personal information records affected; the likely consequences of the incident; and the measures taken or proposed to address it
- Cooperate with the Club's investigation and remediation efforts
- Implement all reasonable measures to contain the incident and prevent recurrence
8.2 Club's notification obligations
As the Responsible Party, the Club is legally responsible for notifying:
- The South African Information Regulator — via the eServices Portal (Form SCN1) within 72 hours of becoming aware of a breach that is likely to result in real risk of harm (as required by POPIA and the April 2025 Information Regulator Guidance)
- Affected data subjects — as soon as reasonably practicable after notifying the Regulator
Sentinel will provide the Club with all information reasonably necessary to fulfil these notification obligations. If required by law, Sentinel may notify the Information Regulator independently and will inform the Club of such notification.
9. Data Retention & Deletion
9.1 During the subscription
Sentinel retains all Personal Information for the duration of the Club's active subscription. Data is retained in an accessible state for as long as the subscription remains active.
9.2 On termination
Within 30 days of subscription termination or cancellation:
- The Club may request a full data export (in JSON or CSV format) via stokeswallerq@gmail.com
- After 30 days, all Personal Information associated with the Club's account will be permanently and irreversibly deleted from all systems, including backups
- Sentinel will provide written confirmation of deletion on request
9.3 Exceptions
Notwithstanding the above, Sentinel may retain certain data after the deletion date where required by law, including:
- Billing records and financial transaction data (5 years under Tax Administration Act)
- Security logs and incident records (12 months, legitimate security interest)
- Data subject to a lawful hold order from a court or regulatory authority
Any retained data will be held in a restricted access environment and processed only for the specific legal purpose.
10. Cross-Border Transfers
As described in Sentinel's Privacy Policy, the Platform's database infrastructure is hosted by Supabase in the European Union. This constitutes a cross-border transfer of Personal Information under POPIA Section 72.
Transfer mechanisms
Sentinel relies on the following mechanisms for this transfer:
- Equivalent protection: The EU's GDPR imposes data protection obligations on Supabase that are equivalent to POPIA requirements in all material respects
- Supabase DPA: Sentinel maintains a binding Data Processing Agreement with Supabase under GDPR Article 28, which governs Supabase's processing of Personal Information and ensures adequate protection
- Informed consent: By accepting these Terms and this DPA, the Club consents to cross-border processing of its data by Supabase in the EU under POPIA s72(1)(b)(ii), having been informed of this transfer and its nature
Regulatory note: South Africa has not issued a formal adequacy determination for the EU under POPIA. The transfer mechanisms above represent our assessment of the most appropriate available grounds. We recommend that clubs with heightened data localisation requirements (e.g. those subject to additional sector-specific regulations) seek independent legal advice.
Changes to sub-processors or data locations
If Sentinel changes its primary database provider or data hosting location, it will notify the Club in advance as part of the sub-processor notification process described in Section 5, giving the Club the opportunity to review the new transfer arrangements.
Questions about this DPA? Contact our Information Officer at stokeswallerq@gmail.com. We can provide additional documentation, answer questions about our sub-processor agreements, and assist with your own POPIA compliance obligations.