Data Processing Addendum

“Personal Data”, “Processing”, “Data Subject”, and “Supervisory Authority” have the meanings given in the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”).

“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

The Processor processes Personal Data for the purpose of providing motorsport telemetry analysis, including CSV ingestion, lap scoring, corner analysis, race strategy computation, and session reporting. Processing continues for the duration of the service agreement.

Categories of data subjects include: team drivers, team managers, and account administrators. Categories of personal data include: names, email addresses, telemetry session metadata (timestamps, GPS coordinates), and billing identifiers.

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing unless that law prohibits such notification.

The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor implements appropriate technical and organisational measures including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest (database and backups)
• Argon2id password hashing (time cost 3, memory 64 KiB)
• Row-Level Security (RLS) policies isolating workspace data at the database level
• JWT-based authentication with single-use refresh token rotation
• Daily encrypted backups with 7-day retention
• Redis-backed rate limiting across 5 severity tiers

The Controller grants general written authorisation for the Processor to engage sub-processors. The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor. The current sub-processor list is maintained at /subprocessors.

Where a sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of that sub-processor’s obligations.

The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights: access, rectification, erasure, restriction, portability, and objection.

Self-service data export and account erasure are available through the application. GDPR requests that cannot be handled through self-service may be directed to privacy@lap-coach.racing.

The Processor shall notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Primary data processing occurs in EU data centres (Hetzner, Falkenstein, Germany). Where sub-processors process data outside the EEA, Standard Contractual Clauses (SCCs) approved by the European Commission apply. Details of each sub-processor’s data location are listed on the subprocessors page.

Upon termination of the service agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies unless EU or Member State law requires storage of the Personal Data. Workspace data is retained for the configured retention period and then permanently deleted.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Enterprise customers may request a formal audit through the contact route.