Data Processing Addendum

Effective date: May 28, 2026 Version: 1.1

This Data Processing Addendum (the "DPA") forms part of the agreement between Fieldday and the Tenant (the "Agreement") under which Fieldday provides the Fieldday platform and related services (the "Services"). It governs the parties' respective obligations regarding personal information processed through the Services.

In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to personal information matters.

---

1. Definitions

"Applicable Privacy Laws" means the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and any other federal, provincial, or territorial privacy or data protection legislation that applies to the processing of Personal Information under the Agreement, including without limitation Quebec's Act respecting the protection of personal information in the private sector where applicable.

"Fieldday" means KABOOM SG, the provider of the Services.

"Personal Information" has the meaning given in PIPEDA and includes information about an identifiable individual that is collected, used, or disclosed through the Services.

"Player Data" means Personal Information about the Tenant's players, participants, members, staff, volunteers, or other individuals registered or otherwise enrolled through the Tenant's use of the Services.

"Tenant Data" means all data the Tenant creates, uploads, or generates through the Services, including Player Data, organization and league records, season and division configurations, team rosters, schedules, game results, player statistics, standings, financial transaction records (excluding card data, which is handled by the payment processor), waivers and signed agreements, and media files uploaded by the Tenant or its players. Tenant Data does not include Fieldday platform telemetry, internal logs, or aggregated and de-identified information used to operate and improve the Services.

"Privacy Breach" means a loss of, unauthorized access to, or unauthorized disclosure of Personal Information processed under the Agreement, whether resulting from a breach of security safeguards or otherwise.

"Sub-processor" means a third party engaged by Fieldday to process Personal Information in connection with the Services.

"Tenant" means the organization that has entered into the Agreement with Fieldday and uses the Services to manage its sports league, association, or similar organization.

---

2. Roles and responsibilities

2.1 Tenant as the responsible organization

The Tenant determines the purposes for which Player Data is collected and used. Under Applicable Privacy Laws, the Tenant is the organization primarily accountable to its players for that Personal Information.

The Tenant is responsible for:

• Obtaining all necessary consents from its players for the collection, use, and disclosure of Player Data, including consent to its processing by Fieldday and Fieldday's sub-processors
• Providing its players with clear notice of how their Personal Information will be handled, including the existence and substance of this arrangement
• Ensuring it has lawful authority to upload, transmit, or otherwise make available any Personal Information to the Services
• Responding to access, correction, deletion, and other requests from its own players in the first instance
• Determining appropriate retention periods for Player Data within the limits the Services support
• Where the Tenant collects Personal Information from minors, obtaining valid parental or guardian consent in accordance with Applicable Privacy Laws

2.2 Fieldday as the service provider

Fieldday processes Personal Information on behalf of the Tenant and only as necessary to provide the Services, support the Tenant, and meet its own legal obligations.

Fieldday is responsible for:

• Maintaining safeguards appropriate to the sensitivity of the Personal Information it processes
• Processing Personal Information only in accordance with this DPA and the Tenant's documented instructions, which are deemed to include the Agreement and the Tenant's normal use of the Services
• Notifying the Tenant of Privacy Breaches affecting Player Data in accordance with Section 6
• Supporting the Tenant in meeting its own obligations under Applicable Privacy Laws

---

3. Scope and nature of processing

3.1 Categories of Personal Information

Fieldday processes the following categories of Personal Information on behalf of the Tenant:

• Player and participant data: name, email address, phone number, team and league affiliation, communication preferences
• Administrator data: name, email, phone, role, and credentials
• Operational data: schedules, registrations, payments where applicable, and communications sent through the platform
• Technical data: IP address, device information, and access logs

Fieldday does not collect dates of birth, government identifiers, or health information through the platform. Payment card data, where collected, is handled by the payment processor and not stored on Fieldday's systems.

3.2 Categories of individuals

Players, participants, league administrators, staff, volunteers, and other individuals whose information the Tenant uploads or causes to be collected through the Services.

3.3 Purposes of processing

• Operating the Services for the Tenant
• Authenticating users and securing the platform
• Delivering communications initiated by the Tenant or its players
• Providing support to the Tenant
• Improving the Services using aggregated and de-identified data
• Meeting legal, regulatory, and audit obligations

3.4 Duration

Fieldday processes Personal Information for the duration of the Agreement, plus any post-termination period required for export, deletion, or legal retention, as set out in Section 8.

---

4. Safeguards

Fieldday maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the Personal Information it processes, including:

• Encryption of Personal Information in transit (TLS) and at rest
• Role-based access controls and tenant isolation, ensuring one Tenant cannot access another Tenant's data
• Multi-factor authentication for administrative access to Fieldday's systems
• Logging and monitoring of administrative activity
• Regular review of security practices, sub-processor arrangements, and access privileges
• Secure software development practices, including dependency review and vulnerability remediation
• Documented incident response procedures

Fieldday will review and update these safeguards from time to time to reflect changes in risk, technology, and the sensitivity of the Personal Information processed.

---

5. Sub-processors

5.1 Authorized sub-processors

The Tenant authorizes Fieldday to engage Sub-processors to provide the Services. The current list of Sub-processors is:

5.2 Sub-processor obligations

Fieldday will impose on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA. Fieldday remains responsible to the Tenant for each Sub-processor's performance.

5.3 Changes to Sub-processors

Fieldday will give the Tenant at least 30 days' notice before adding or replacing a Sub-processor with access to Player Data. The Tenant may object on reasonable privacy or security grounds within 30 days, in which case the parties will work in good faith to resolve the objection. If resolution is not possible, the Tenant may terminate the affected portion of the Services on written notice without penalty.

---

6. Privacy Breach notification

6.1 Notification to the Tenant

If Fieldday becomes aware of a Privacy Breach affecting Player Data, Fieldday will notify the Tenant without undue delay and, where reasonably practicable, within 72 hours of confirming the Privacy Breach.

The notification will include, to the extent then known:

• A description of the nature of the Privacy Breach
• The categories and approximate number of individuals and records affected
• The likely consequences of the Privacy Breach
• The measures taken or proposed to address it and mitigate harm
• A contact point for further information

6.2 Cooperation

Fieldday will cooperate with the Tenant in good faith to investigate the Privacy Breach, mitigate its effects, and meet any notification obligations the Tenant may have to its players, regulators, or other parties under Applicable Privacy Laws.

6.3 Tenant's notification obligations

The Tenant is responsible for determining whether the Privacy Breach meets the threshold for notification to affected individuals or to the Office of the Privacy Commissioner of Canada under PIPEDA or other applicable law, and for making any such notifications. Fieldday will provide the information the Tenant reasonably requires to make and support those determinations.

6.4 Records

Both parties will maintain records of Privacy Breaches as required by Applicable Privacy Laws, including for at least 24 months as required by PIPEDA.

---

7. Individual rights requests

If Fieldday receives a request from a player or other individual to access, correct, delete, or otherwise exercise rights over Player Data, Fieldday will:

• Refer the individual to the Tenant where Fieldday is acting as a service provider
• Notify the Tenant of the request without undue delay
• Provide reasonable assistance to the Tenant in responding, including by providing platform functionality for export, correction, and deletion

The Tenant remains the party responsible for responding substantively to such requests in respect of Player Data.

---

8. Ownership, return, and deletion of data

8.1 Ownership

As between Fieldday and the Tenant, the Tenant owns all Tenant Data. Fieldday does not acquire any right, title, or interest in Tenant Data beyond the limited rights necessary to provide the Services and meet its obligations under the Agreement and this DPA.

8.2 Export during the term

The Tenant may, at any time during the term of the Agreement, export its Tenant Data through the self-service export functionality provided in the platform. The export is delivered as a structured archive in commonly used machine-readable formats (CSV and JSON), including referenced media files where stored by Fieldday.

Fieldday will document the structure of the export and any material changes to that structure, so the Tenant can rely on the export for backup, migration, or compliance purposes.

8.3 Export on termination

Within 30 days of termination or expiry of the Agreement, the Tenant may request a final export of Tenant Data through the same export functionality, or by written request to Fieldday's Privacy Officer where the platform interface is no longer accessible. Fieldday will provide the export within a reasonable period and in no event later than 30 days of the request.

8.4 Deletion

Following the export period in Section 8.3, or earlier where the Tenant directs in writing, Fieldday will delete or de-identify Tenant Data from active systems within 60 days. Tenant Data residing in backups will be deleted in accordance with Fieldday's standard backup retention cycle, which does not exceed 12 months. Backed-up Tenant Data is not used for any purpose during this residual period and remains subject to the safeguards in this DPA until deletion.

On request, Fieldday will provide written confirmation of deletion.

8.5 Legal and contractual retention

Fieldday may retain Tenant Data beyond the periods above only where required by Applicable Privacy Laws, by other applicable legislation (including Canadian tax retention requirements for financial records), or as reasonably necessary to enforce or defend legal claims. Any such retained data is limited to what is necessary for the retention purpose and remains subject to the safeguards in this DPA.

8.6 Scope and exclusions

The export and deletion obligations in this Section 8 apply to Tenant Data. They do not extend to:

• Aggregated or de-identified information that cannot reasonably be associated with the Tenant or its players
• Fieldday's internal logs, telemetry, and analytics generated in the course of operating the Services
• Communications records, which are not included in the export but which Fieldday retains and deletes in accordance with its standard retention practices and Applicable Privacy Laws
• Data held by Sub-processors under the Sub-processors' own retention practices; Fieldday will make reasonable efforts to ensure Sub-processor data lifecycle aligns with this DPA but does not control Sub-processor backup cycles directly

---

9. Audits and information requests

On reasonable written notice, and no more than once per year except in connection with a Privacy Breach or regulatory investigation, Fieldday will provide the Tenant with information reasonably necessary to demonstrate compliance with this DPA, including:

• A summary of Fieldday's security practices
• Copies of relevant third-party audit reports or attestations, where available
• Responses to reasonable written questionnaires

Audits will be conducted in a manner that does not unreasonably interfere with Fieldday's operations or compromise the confidentiality of other Tenants' information.

---

10. International transfers

Some Personal Information may be processed by Sub-processors located outside Canada, including in the United States. The Tenant acknowledges this and is responsible for notifying its players of cross-border processing where required by Applicable Privacy Laws.

Fieldday will ensure that any cross-border processing is subject to contractual protections appropriate to the sensitivity of the Personal Information and consistent with Applicable Privacy Laws.

---

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

---

12. Term and termination

This DPA takes effect on the effective date above and continues for the duration of the Agreement. Sections that by their nature should survive termination, including those concerning return and deletion of data, breach records, and liability, will survive.

---

13. Governing law

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable in Ontario. The parties submit to the exclusive jurisdiction of the courts of Ontario for any matter arising out of or in connection with this DPA, without prejudice to any party's right to seek interim relief in any jurisdiction.

---

14. Signatures

Acceptance of this DPA is normally captured electronically through the Fieldday platform when a Tenant administrator accepts the Terms of Service during onboarding. Where electronic acceptance has been recorded, that record constitutes the binding agreement and the signature block below is not required. The signature block is provided for Tenants whose internal policies require a countersigned copy of this DPA. Where used, both parties must sign and a Fieldday platform administrator will record the acceptance manually in the platform.

Fieldday KABOOM SG

Name: ____________________________ Title: ____________________________ Date: ____________________________ Signature: ________________________

Tenant

Organization: ____________________________ Name: ____________________________ Title: ____________________________ Date: ____________________________ Signature: ________________________