This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Moneyball.win Terms of Service (“Agreement”) between Eagle Cross, Inc. (“Processor”) and the Member Organization (“Controller”) that has accepted the Agreement.

1. Scope and Role

This DPA applies to the processing of CRM opportunity data provided by the Controller to the Processor via the Moneyball.win service.

• Roles: The Member Organization is the Controller; Eagle Cross, Inc. is the Processor.
• Data Type: The data is limited to CRM opportunity fields (for example: Deal ID, Stage, Amount, Close Date, Sales Rep Name, and Account Name/Industry). Moneyball accesses this data through secure API integrations or secure connections to spreadsheet files via file providers such as Google Drive, Box, or SharePoint.
• No PII: Controller agrees not to provide, and Processor agrees not to collect, sensitive personal data or PII (e.g., Social Security numbers, health data, or contact details of individuals).

2. Processor’s Obligations

Processor agrees to:

• Instructions: Process data only on the documented instructions of the Controller (which include providing the analytics and insights requested via the application).
• Confidentiality: Ensure that all personnel authorized to process the data have committed themselves to confidentiality.
• Security: Implement the technical and organizational measures outlined in the Moneyball.win Security Overview, including encryption at rest, encryption in transit, and tenant isolation.
• Sub-processors: Controller provides a general authorization for Processor to use sub-processors (Google Cloud, Cloudflare, Convex) to provide the service. Processor remains responsible for the sub-processor’s compliance with data protection obligations.

3. Data Breach Notification

In the event of a confirmed Personal Data Breach (or unauthorized access to Controller’s data), Processor shall notify Controller without undue delay and, in any event, within 72 hours of becoming aware of the breach.

4. Audit Rights

To support the “early-stage” nature of the service while providing transparency, Processor will provide Controller with its most recent security summaries, documentation, or available third-party audit reports (e.g., sub-processor SOC 2 reports) upon written request.

5. Data Deletion

Upon termination of the Agreement or a request by the Controller, Processor shall delete all data within 14 days, unless required by law to retain it.

6. Limitation of Liability

The parties agree that any liability arising under this DPA is subject to the limitations of liability set forth in the Main Agreement (Terms of Service).