Data Processing Agreement

Last updated April 21, 2026·6 min read
On this page15 sections
  1. 1. Definitions
  2. 2. Subject matter, duration, nature, and purpose
  3. 3. Customer instructions
  4. 4. Confidentiality
  5. 5. Security of processing
  6. 6. Sub-processors
  7. 7. Data subject rights
  8. 8. Assistance with DPIAs and prior consultation
  9. 9. Breach notification
  10. 10. Deletion or return
  11. 11. Audits and demonstrations
  12. 12. International transfers
  13. 13. Liability
  14. 14. Order of precedence
  15. 15. Signature / acceptance

Version: 1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between:

  1. [CUSTOMER_LEGAL_NAME] (“Customer”, “you”), who uses the CoachRocks services as described in the Terms of Service or applicable order form (together, the “Agreement”); and

  2. CLE LTD. (“CoachRocks”, “Processor”, “we”, “us”),

regarding the processing of personal data by CoachRocks on behalf of Customer when Customer acts as a controller (or joint controller where agreed in writing) and CoachRocks acts as processor under Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR.

If Customer is a consumer-only user without organisational client data, this DPA may not apply; it applies where Customer processes third-party personal data (e.g. coaching clients) in the Services.

1. Definitions

Terms used in this DPA have the meanings in Article 4 GDPR unless defined below:

  • “Personal data”, “processing”, “controller”, “processor” — as in GDPR.
  • “Services” — CoachRocks cloud platform and related services under the Agreement.
  • “Sub-processor” — a processor engaged by CoachRocks to process personal data on behalf of Customer.
  • “Clauses” — Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum issued by the UK ICO.

2. Subject matter, duration, nature, and purpose

Subject matter: Processing of personal data related to Customer’s use of the Services to manage coaching practice, sessions, media, integrations, and related features.

Duration: For the term of the Agreement and until Customer deletes such data or terminates the Services, plus the period needed for deletion backups as described in our Privacy Policy.

Nature and purpose of processing: Hosting, storage, retrieval, display, transmission, security monitoring, support, and provision of product features requested by Customer, including AI-assisted processing where enabled (transcription, analysis, content generation) as described in the AI Transparency Notice.

Categories of data subjects: Customer’s clients and other individuals whose data Customer uploads or imports (e.g. calendar attendees, meeting participants).

Categories of personal data: Identity and contact data; session metadata; recordings and transcripts; notes and contractual fields; AI-generated insights derived from the foregoing; technical identifiers as described in the Privacy Policy.

Special categories: Customer must not instruct CoachRocks to process special categories of data except where permitted by law and documented; incidental occurrence in recordings is possible and Customer remains responsible for lawful basis and minimisation.

3. Customer instructions

CoachRocks will process personal data only:

  • On documented instructions from Customer (including via the Agreement, configuration of the Services, and support tickets); and
  • As required by EU/UK law applicable to CoachRocks as processor; in that case CoachRocks will inform Customer of the legal requirement unless prohibited by law.

If CoachRocks believes an instruction infringes GDPR, we will inform Customer.

4. Confidentiality

Personnel authorised to process personal data are bound by confidentiality obligations or statutory duties.

5. Security of processing

CoachRocks implements technical and organisational measures appropriate to the risk, including:

  • Access controls and authentication;
  • Encryption in transit (HTTPS) and encryption at rest where implemented for relevant systems;
  • Logical separation of tenants;
  • Vendor due diligence and incident response procedures.

A summary is available on request; detailed security documentation may be provided under confidentiality.

6. Sub-processors

6.1 Authorised sub-processors. Customer authorises CoachRocks to engage sub-processors listed at https://coachrocks.com/subprocessors (or provided by email) to perform processing activities described there.

6.2 Changes. CoachRocks will give Customer notice of new or replacement sub-processors (e.g. by email or in-product notice) and allow a reasonable objection period where required by law. If objection cannot be resolved, either party may terminate the affected Services as the sole remedy.

6.3 Flow-down. CoachRocks will impose data protection terms on sub-processors that are substantially similar to this DPA.

6.4 Current categories (illustrative): Cloud hosting and database; object storage/CDN; AI and speech services; email delivery; Google APIs for OAuth/calendar where Customer connects Google; meeting/bot integrations where Customer uses those features.

7. Data subject rights

Taking into account the nature of processing, CoachRocks will assist Customer by appropriate technical and organisational measures in responding to requests to exercise GDPR rights, insofar as possible.

Where a request is sent directly to CoachRocks, we will prompt Customer to respond unless Customer has authorised us to respond directly.

8. Assistance with DPIAs and prior consultation

CoachRocks will provide reasonable assistance with Customer’s data protection impact assessments and prior consultations with supervisory authorities relating to CoachRocks’ processing, where required by Article 35 or 36 GDPR.

9. Breach notification

CoachRocks will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer’s personal data processed under this DPA, and will provide information reasonably required for Customer’s Article 33/34 obligations, where such information is available.

10. Deletion or return

At the end of the Services (or on Customer’s written request), CoachRocks will delete or return personal data in accordance with the Agreement and Privacy Policy, unless retention is required by law. Backups may persist for a limited period in line with our backup lifecycle before automatic deletion.

11. Audits and demonstrations

Where Article 28(3)(h) GDPR applies, CoachRocks will make available information necessary to demonstrate compliance and allow for audits by Customer or an auditor mandated by Customer, subject to:

  • Reasonable notice;
  • No more than [once / twice] per year except for a genuine suspected breach;
  • Confidentiality and security rules (e.g. no access to other customers’ data);
  • Substitution with a third-party certification or SOC 2 / ISO 27001 report where available.

12. International transfers

Where personal data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties will rely on:

  • EU SCCs (module two: controller to processor, or module three as applicable) with the Annexes completed as below; and/or
  • UK Addendum to the EU SCCs where UK transfers apply.

CoachRocks agrees to implement supplementary measures where required by EDPB guidance (e.g. encryption, access controls).

Annex A (SCCs) — Summary completion

  • Data exporter: Customer (address as on account or order form).
  • Data importer: CLE LTD., Floor 11, No.172, Section 2, Minsheng East Road, Taipei 10485, Taiwan.
  • Role: Module Two (Controller to Processor) unless parties agree Module Three in writing.
  • Competent supervisory authority: not applicable (no EU establishment) authority or as per SCC rules.
  • Technical and organisational measures: As Section 5 and security documentation.
  • Sub-processors: As Section 6.

Full SCC text is incorporated by reference: available on request from support@coachrocks.com

13. Liability

Liability for processing breaches is subject to the Agreement. Where the GDPR allocates direct liability to the processor, nothing in the Agreement excludes limitations that cannot legally be excluded.

14. Order of precedence

If there is a conflict between this DPA and the Agreement regarding processing of personal data, this DPA prevails for data protection matters, except where the Agreement provides stronger protection for data subjects.

15. Signature / acceptance

This DPA is accepted by:

  • [Electronic acceptance / signature / order form reference] on [DATE]; or
  • Execution below.

CUSTOMER: [CUSTOMER_LEGAL_NAME]
Name: _________________________
Title: _________________________
Signature: _________________________
Date: _________________________

PROCESSOR: CLE LTD.
Name: _________________________
Title: _________________________
Signature: _________________________
Date: _________________________

This document is a template for legal review. It does not constitute legal advice. Have qualified counsel adapt SCC modules, roles, and liability to your contracts.