Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the SubPro Terms of Service between Let's BJJ Inc. ("SubPro", "Processor") and the Platform User ("Academy Owner", "Controller") who has agreed to the Terms of Service.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by SubPro on behalf of the Academy Owner.
• "End User Data" means Personal Data of students and subscribers of the Academy Owner's service.
• "Data Protection Laws" means the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Australian Privacy Act 1988, and any other applicable data protection legislation.
• "Sub-processor" means any third party engaged by SubPro to process Personal Data on behalf of the Controller.

2. Roles and Scope

The Academy Owner is the Data Controller. SubPro is the Data Processor. SubPro processes End User Data solely to provide the Service as described in the Terms of Service.

Categories of Data Subjects

Students, subscribers, and other end users of the Academy Owner's video subscription service.

Types of Personal Data Processed

Category	Data
Identity	Name, email address, account credentials (hashed)
Financial	Subscription status, purchase history (card data processed by Stripe, not stored by SubPro)
Usage	Watch progress, notes, playlists, favourites, login activity
Technical	IP address, browser type, device information

3. Processing Instructions

SubPro shall process Personal Data only in accordance with the Controller's documented instructions, which are defined by the functionality of the Service. SubPro shall not process Personal Data for any other purpose unless required by applicable law, in which case SubPro will inform the Controller (unless prohibited by law).

4. Confidentiality

SubPro ensures that all personnel authorised to process Personal Data are bound by obligations of confidentiality.

5. Security Measures

SubPro implements appropriate technical and organisational measures to protect Personal Data, including:

• Encryption in transit (TLS/HTTPS on all endpoints)
• Password hashing (PBKDF2, 100,000 iterations)
• JWT-based authentication with session management and concurrent device limiting
• Rate limiting on authentication endpoints
• Content Security Policy headers on all responses
• Cloudflare WAF managed rulesets
• Daily automated backups to Cloudflare R2
• Tenant database isolation (one D1 database per academy)

6. Sub-processors

The Controller authorises SubPro to engage the following Sub-processors:

Sub-processor	Purpose	Location
Cloudflare, Inc.	Infrastructure, CDN, database (D1), file storage (R2), DNS	Global (US HQ)
Stripe, Inc.	Payment processing, subscription management	US
Mux, Inc.	Video hosting, encoding, delivery	US
Resend, Inc.	Transactional email delivery	US

SubPro will notify the Controller at least 30 days before adding or replacing a Sub-processor. If the Controller objects, they may terminate the Service. SubPro ensures all Sub-processors are bound by data protection obligations no less protective than those in this DPA.

Sub-processor deletion instructions: Upon account deletion, SubPro will instruct each Sub-processor to delete viewer-level personal data as follows: Cloudflare D1/R2 (immediate deletion from active systems, backup rotation within 90 days); Mux (deletion of viewer-level analytics within 30 days via Mux API); Stripe (deletion subject to Stripe's own data retention policies for regulatory compliance); Resend (transactional email logs retained per Resend's retention policy, typically 30 days).

7. International Data Transfers

Personal Data may be transferred to:

• Japan: Under the EU/UK adequacy decisions for Japan.
• United States (Cloudflare, Stripe, Mux, Resend): Under EU/UK Standard Contractual Clauses (SCCs, 2021 version) with supplementary measures as required.

Copies of relevant SCCs are available upon request to privacy@sub-pro.net.

8. Data Subject Rights

SubPro will assist the Controller in responding to requests from Data Subjects to exercise their rights (access, rectification, erasure, portability, restriction, objection) by providing the following self-service tools:

• Data Export: End Users can download all their data via Account > Export My Data
• Account Deletion: End Users can permanently delete their account via Account > Delete Account
• Newsletter Opt-out: End Users can opt out of marketing at any time

For requests that cannot be handled via self-service, SubPro will provide reasonable assistance to the Controller within 15 business days.

9. Data Breach Notification

SubPro will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:

• The nature of the breach, including categories and approximate number of affected Data Subjects
• Contact details for further information
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Audit Rights

SubPro will make available to the Controller all information necessary to demonstrate compliance with this DPA. SubPro will allow and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

11. Return and Deletion of Data

Upon termination of the Service, the Controller may request an export of all End User Data within 30 days. After the 30-day period, SubPro will delete all Personal Data from its systems, except where retention is required by applicable law. Backup copies will be rotated out within 90 days of deletion.

12. SubPro as Independent Controller

For certain categories of data, SubPro acts as an independent Data Controller (not a Processor), including:

• Platform User account data (academy owner profile, billing, usage analytics)
• Aggregated, anonymised platform-wide analytics used for fraud detection, security monitoring, and platform improvement

Where SubPro independently determines the purposes of processing for platform operations or security monitoring, GDPR Article 28 (Processor obligations) does not apply to such processing. SubPro's processing of this data is governed by the Platform Privacy Policy.

13. Term

This DPA remains in effect for the duration of SubPro's processing of Personal Data on behalf of the Controller. It automatically terminates when the Controller's SubPro account is closed and all Personal Data has been deleted in accordance with Section 11.

14. Contact

Data Processor: Let's BJJ Inc. (株式会社Let'sBJJ)
〒160-0023 東京都新宿区西新宿3丁目3番13号 西新宿水間ビル2F
Email: privacy@sub-pro.net