Skip to content

Legal

Data Processing Agreement

Last updated: Version 1.0 — 2 May 2026

This Data Processing Agreement (the “DPA”) forms part of the VeriScout Terms of Service (the “Agreement”) between VeriScout ApS, CVR 46154223, Fogedvænget 98, 8722 Hedensted, Denmark (“Processor” or “VeriScout”) and the customer named in the relevant Order Form (the “Controller” or “Customer”).

This DPA applies to the extent that VeriScout processes Personal Data on behalf of the Customer in connection with the Service. Where VeriScout determines the purposes and means of processing (for example, processing of Player Data sourced from publicly available materials), VeriScout acts as an independent controller and that processing is governed by VeriScout's Privacy Policy, not by this DPA.

By signing or accepting the Agreement, the parties also accept this DPA. No separate signature is required.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement. In addition:

  • “Data Protection Laws” — all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act (as amended by the CPRA, “CCPA”).
  • “Personal Data”, “processing”, “data subject”, “controller”, “processor”, “sub-processor” and “personal data breach” have the meanings given in Article 4 GDPR.
  • “Standard Contractual Clauses” or “SCCs” — the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as updated from time to time.
  • “UK Addendum” — the International Data Transfer Addendum issued by the UK Information Commissioner's Office in February 2022.

2. Roles of the parties

The Customer is the controller of Personal Data it submits to the Service or that it instructs VeriScout to process on its behalf (“Customer Personal Data”). VeriScout is the processor of Customer Personal Data.

VeriScout is an independent controller of Player Data and other content that VeriScout itself compiles, as described in its Privacy Policy. That processing is outside the scope of this DPA.

Each party is responsible for its own compliance with Data Protection Laws in respect of the role it plays.

3. Subject matter, duration, nature and purpose

ItemDescription
Subject matterProcessing of Customer Personal Data necessary to provide the Service to the Customer under the Agreement.
DurationThe term of the Agreement, plus the limited periods set out in Section 11 (return and deletion).
Nature and purposeHosting, storing, transmitting, displaying and otherwise processing Customer Personal Data so that the Customer's Authorised Users can use the Service for college recruiting and scouting.
Categories of data subjectsAuthorised Users of the Customer (college soccer staff, coaches, recruiters, administrators).
Categories of Personal DataIdentification data (name, work email, job title, college affiliation), authentication data (account credentials, login metadata, IP and device identifiers, session tokens), communications between the Authorised User and VeriScout, billing-contact data, and any free-text notes the Authorised User chooses to add to a Player profile.
Special-category dataNone expected. The Customer must not submit special-category data through the Service unless agreed in writing in advance.
Children's dataAuthorised Users must be 18 or older.

4. Customer instructions

VeriScout will process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to third countries, except where required to do so by EU or Danish law to which it is subject. Where VeriScout is so required, it will inform the Customer of the legal requirement before processing, unless that law prohibits notification on important grounds of public interest.

The Agreement, this DPA, the Customer's use of the Service through its Authorised Users, and any written instructions agreed between the parties, constitute the Customer's complete and final instructions to VeriScout. Additional or alternative instructions outside the scope of this DPA require prior written agreement and may be subject to additional fees.

VeriScout will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

5. Confidentiality of personnel

VeriScout ensures that personnel authorised to process Customer Personal Data are bound by appropriate written or statutory obligations of confidentiality and have received training on their data-protection responsibilities. Access to Customer Personal Data is limited to personnel who need it to provide the Service.

6. Security of processing

VeriScout will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to data subjects.

These measures include, at a minimum:

  • encryption of data in transit (HTTPS/TLS) and at rest;
  • role-based access controls and the principle of least privilege for administrative access;
  • audit logging of administrative actions and security-relevant events;
  • regular software updates and vulnerability management;
  • secure software-development practices and code review;
  • regular backups, with backups encrypted and access-controlled;
  • network segmentation and protection at the cloud-provider boundary; and
  • a documented incident-response process.

VeriScout will provide the Customer with a summary of its current security measures on request.

7. Sub-processors

The Customer grants VeriScout general written authorisation to engage sub-processors to process Customer Personal Data, subject to this Section 7.

VeriScout maintains a current list of sub-processors at /subprocessors. The list identifies each sub-processor, its role, the location of processing, and the transfer mechanism that applies. Customers can subscribe to email notifications of changes via the address shown on that page.

Before engaging a new sub-processor or replacing an existing one for processing of Customer Personal Data, VeriScout will:

  • update the sub-processor list and notify subscribed Customers by email; and
  • give the Customer at least 30 days to object on reasonable data-protection grounds.

If the Customer objects, the parties will work in good faith to resolve the concern. If the concern cannot be resolved within a reasonable time, the Customer may terminate the affected subscription on written notice and receive a pro-rata refund of pre-paid, unused fees for the affected subscription term. Termination is the Customer's sole and exclusive remedy in connection with a sub-processor change.

VeriScout will impose written contractual obligations on each sub-processor that are no less protective than those set out in this DPA, in particular as regards security and international transfers, and remains liable to the Customer for the acts and omissions of its sub-processors as if they were its own.

8. International transfers

VeriScout hosts Customer Personal Data primarily in the European Union (currently AWS, Frankfurt). Processing may also take place in countries where VeriScout, its personnel or its sub-processors are located.

Where processing of Customer Personal Data involves a transfer of personal data from the EEA, the United Kingdom or Switzerland to a country that does not benefit from an adequacy decision, the parties rely on the following transfer mechanisms in the order shown:

  1. the EU–US Data Privacy Framework (or its UK and Swiss extensions, as applicable) where the receiving organisation is certified;
  2. the EU Standard Contractual Clauses (Module 2 — controller to processor — when VeriScout is the data exporter; Module 3 — processor to sub-processor — between VeriScout and its sub-processors), incorporated into this DPA by reference; and
  3. for transfers from the United Kingdom, the UK Addendum to the SCCs.

Where the SCCs apply between the Customer (as exporter) and VeriScout (as importer):

  • the optional clause on docking is included;
  • Clause 9(a) Option 2 (general written authorisation for sub-processors) applies, with the 30-day notice period set out in Section 7;
  • Clause 11(a) optional independent dispute-resolution body — not selected;
  • Clause 17 governing law — the law of Denmark;
  • Clause 18 forum and jurisdiction — the courts of Copenhagen, Denmark;
  • Annexes I, II and III of the SCCs are completed by reference to Sections 3, 6 and 7 of this DPA respectively.

VeriScout has carried out a transfer-impact assessment for transfers of Customer Personal Data to its US-based customers and sub-processors and will provide a summary on reasonable request.

9. Data subject requests

Taking into account the nature of the processing, VeriScout will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligations to respond to requests from data subjects exercising rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

Where a data subject contacts VeriScout directly with a request relating to Customer Personal Data, VeriScout will, without undue delay, forward the request to the Customer and will not respond on the substance unless the Customer instructs it to or VeriScout is legally required to do so.

10. Personal data breaches

VeriScout will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known:

  • a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and to mitigate its effects; and
  • a contact point for further information.

VeriScout will provide reasonable cooperation to the Customer in investigating, mitigating and notifying the breach to authorities and affected data subjects where the Customer is required to do so under Data Protection Laws.

VeriScout's notification of, or response to, a personal data breach is not an acknowledgement of fault or liability.

11. Data Protection Impact Assessments and prior consultation

VeriScout will, on reasonable request and at the Customer's cost where significant effort is required, provide the Customer with information reasonably necessary to carry out a data-protection impact assessment under Article 35 GDPR and any prior consultation with a supervisory authority under Article 36 GDPR, in respect of the Customer's use of the Service.

12. Audits

VeriScout will make available to the Customer, on written request and no more than once every 12 months (except following a personal data breach affecting the Customer), the information reasonably necessary to demonstrate compliance with this DPA. This may take the form of:

  • VeriScout's then-current security documentation, sub-processor list, and policies; and
  • responses to a reasonable security and privacy questionnaire.

If the Customer reasonably believes the information provided is insufficient, the Customer may request an audit at its own cost on at least 30 days' written notice. Audits must be carried out during normal business hours, must not unreasonably interrupt VeriScout's business, must respect the confidentiality of other VeriScout customers and personnel, and must be conducted by an independent auditor reasonably acceptable to VeriScout and bound by written confidentiality obligations.

The Customer will share audit findings with VeriScout in writing and will not publish or share them with third parties except as required by law or to its professional advisers under confidentiality.

13. Return and deletion of Customer Personal Data

Within 30 days of termination or expiry of the Agreement, VeriScout will, on written request from the Customer, make Customer Personal Data available for export in a commonly used format. After that period, VeriScout will delete or anonymise Customer Personal Data, except to the extent retention is required by applicable law (in which case Section 6 security obligations continue to apply).

Encrypted backups may persist for up to 35 days beyond active deletion and are overwritten as part of VeriScout's normal backup-rotation cycle.

14. Liability

The liability of each party arising out of or related to this DPA is governed by, and subject to, the limitation-of-liability provisions in the Agreement. For the avoidance of doubt, those limitations apply in aggregate across the Agreement and this DPA, not separately.

15. CCPA addendum

Where the Customer is a “business” and VeriScout is a “service provider” within the meaning of the CCPA in respect of Customer Personal Data:

  • VeriScout will process Customer Personal Data only for the business purposes set out in this DPA and the Agreement;
  • VeriScout will not “sell” or “share” Customer Personal Data within the meaning of the CCPA;
  • VeriScout will not retain, use or disclose Customer Personal Data outside the direct business relationship between the parties; and
  • VeriScout certifies that it understands and will comply with these restrictions.

16. Order of precedence

In the event of a conflict on data-protection matters, the following order of precedence applies:

  1. the Standard Contractual Clauses (where they apply);
  2. this DPA;
  3. the Agreement.

17. Governing law

This DPA is governed by the law of Denmark and the courts of Copenhagen, Denmark have exclusive jurisdiction, subject to the SCCs to the extent they require otherwise.

18. Contact

Data-protection questions and DPA queries should be sent to:

VeriScout ApS
Fogedvænget 98, 8722 Hedensted, Denmark
CVR 46154223
Hello@veri-scout.com