Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service and/or Cloud Computing Service Agreement (the “Agreement”) between MySummitKeep LLC, a Florida limited liability company (“Processor” or “MySummitKeep”), and the entity accepting or subject to the Agreement (“Controller” or “Customer”). This DPA sets forth the terms governing the Processor’s processing of personal data on behalf of the Controller.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller through the Service.
“Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
“Sub-processor” means a third party engaged by Processor to process Personal Data on behalf of Controller.

2. Scope and Roles

Controller determines the purposes and means of Processing Personal Data. Processor processes Personal Data solely on behalf of Controller and in accordance with Controller’s documented instructions.

The categories of Personal Data, Data Subjects, and the nature and purpose of Processing are described in Annex A to this DPA.

3. Processor Obligations

3.1 Instructions

Processor shall process Personal Data only in accordance with Controller’s documented instructions, unless required to do so by applicable law. If Processor believes an instruction infringes applicable data protection law, Processor shall promptly notify Controller.

3.2 Confidentiality

Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security

Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit and at rest.
Zero-knowledge encryption for health-related data fields.
Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
Regular testing, assessing, and evaluating the effectiveness of security measures.
Ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

3.4 Sub-processors

Processor shall not engage a Sub-processor without Controller’s prior written authorization. Processor shall maintain a current list of Sub-processors and make it available to Controller upon request. Processor shall impose contractual obligations on Sub-processors that are no less protective than those set forth in this DPA.

Processor shall notify Controller of any intended changes to its Sub-processors, providing Controller with an opportunity to object within 15 days. If Controller objects on reasonable data protection grounds, the Parties shall work in good faith to resolve the objection.

3.5 Data Subject Rights

Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

3.6 Breach Notification

Processor shall notify Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach. Such notification shall include, to the extent available, the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.

3.7 Data Protection Impact Assessments

Processor shall assist Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by applicable law, taking into account the nature of the Processing and the information available to Processor.

4. Data Transfers

Personal Data shall be processed within the United States. Processor shall not transfer Personal Data to any country outside the United States without Controller’s prior written consent and without ensuring appropriate safeguards are in place.

5. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA. Processor shall allow for and contribute to audits, including inspections, conducted by Controller or Controller’s mandated auditor, upon reasonable notice and no more than once per year, unless a data breach or regulatory investigation necessitates additional audits.

6. Return and Deletion of Data

Upon termination of the Agreement, Processor shall, at Controller’s election, return all Personal Data to Controller or delete all Personal Data from its systems, except to the extent applicable law requires retention. Processor shall certify deletion upon Controller’s request.

Annex A: Details of Processing

Categories of Data Subjects: Scoutmasters, Assistant Scoutmasters, troop committee members, parents/guardians, scouts (including minors under 13), council administrators.

Categories of Personal Data: Names, email addresses, phone numbers, dates of birth, BSA member IDs, home addresses, advancement records, merit badge progress, camping records, service hours, health form data (encrypted under zero-knowledge architecture), event attendance, permission slip responses, payment records.

Nature and Purpose of Processing: Providing the Service, including troop management, advancement tracking, health record storage, event planning, communication facilitation, and reporting.

Duration of Processing: For the duration of the Agreement, plus the data retention period specified in the Privacy Policy and Agreement.