Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the agreement ("Agreement") between Nylaan Technologies LLC, d/b/a Sports AI Nation ("Processor") and the educational institution, district, athletic department, or authorized organization ("Controller").

This DPA is intended to support institutional compliance requirements relating to student data privacy, FERPA, and relevant state student data protection laws.

1. Definitions

"Student Data" means information relating to identifiable students supplied or authorized by the Controller, including:

• Rosters
• Demographics
• Performance statistics
• Educational or athletic records
• Uploaded media

"Processor" means Nylaan Technologies LLC, d/b/a Sports AI Nation, as service provider.

"Subprocessor" means a third party engaged by Processor to process data on behalf of Controller.

"Security Incident" means unauthorized access or disclosure of Student Data under Processor's control.

2. Purpose and Scope

Processor will process Student Data solely to:

• Provide the Services
• Maintain platform functionality
• Support analytics and performance insights requested by Controller
• Ensure system security and integrity
• Comply with legal obligations

Processor will not process Student Data for:

• Advertising
• Behavioral profiling
• Sale or resale
• Independent commercial exploitation

3. Controller Responsibilities

Controller acknowledges and agrees:

• Controller determines which Student Data is entered
• Controller manages who has access to such data
• Controller obtains necessary parental or guardian permissions
• Controller is responsible for accuracy and legitimacy of data
• Controller configures which information is publicly displayed

4. Processor Obligations

Processor will:

• Process Student Data only per Controller instructions
• Restrict access to authorized personnel
• Maintain confidentiality obligations for staff and contractors
• Implement commercially-reasonable security measures
• Assist Controller in responding to valid data subject requests
• Provide data export tools at Controller request

5. Subprocessors

Processor may use trusted service providers to deliver infrastructure, authentication, media storage, or analytics. Representative examples include:

• Cloud hosting services
• Authentication providers
• Storage/CDN systems
• Analytics or ML infrastructure

Processor will:

• Ensure Subprocessors are bound by data protection obligations
• Provide notice of material changes when feasible
• Allow Controller to raise reasonable objections

6. Security Measures

Processor maintains administrative, technical, and organizational safeguards, which may include:

• Encryption in transit and at rest
• Role-based access controls
• Audit and access logs
• System monitoring
• Authenticated access
• Segregated production environments

Exact measures may evolve as technology and threats change.

7. Security Incidents

In the event of a confirmed Security Incident, Processor will:

• Notify Controller without undue delay
• Provide available relevant details
• Take reasonable steps to mitigate risks
• Support Controller's lawful obligations

Notification is not an admission of fault or liability.

8. Data Retention and Deletion

During the Agreement:

• Controller may request export of Student Data
• Processor may retain infrastructure logs or backups as required

After termination:

• Controller may request data export
• Processor will delete Student Data as technically feasible, subject to:
  • Legal retention requirements
  • Financial records
  • Fraud monitoring
  • Audit obligations
  • Disaster recovery backups

Backups are destroyed according to scheduled cycles.

9. FERPA & Educational Records

Processor provides tools and systems that support Controller compliance with FERPA. Controller remains responsible for determining:

• Who has access
• Whether users have legitimate educational interest
• Whether use complies with institutional policy

Processor does not independently determine record categories or instructional use.

10. State Student Privacy Laws

This DPA is designed to align with applicable state-level student data protections such as:

• NY Ed Law 2-d
• SOPIPA (California)
• Colorado Student Data Transparency Act
• Similar applicable regulations

Where state law requires additional terms, amendments may be attached as exhibits.

11. Audit

Controller may request a compliance review not more than once annually.

Processor may satisfy audit requirements by providing:

• SOC reports
• Penetration or security assessments
• Third-party certifications
• Equivalent documentation

Audits must:

• Be performed with reasonable notice
• Not disrupt operations
• Exclude proprietary system details

12. Term

This DPA remains in effect while the Agreement is active. Confidentiality, deletion, and breach obligations survive termination.