Data Processing Addendum

1. Parties and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service between NEXTON INTERACTIVE LIMITED trading as FC Tactix and the organizational customer that uses FC Tactixto process personal data in customer-managed team, player, session, evaluation, plan, club, or related content ("Customer").

This DPA applies when NEXTON INTERACTIVE LIMITEDprocesses personal data on behalf of Customer in its role as a processor or service provider. It does not replace the parties' broader contract for the Service, but it governs personal-data processing by NEXTON INTERACTIVE LIMITED to the extent required by applicable data protection law.

2. Order of Precedence

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data on behalf of Customer. If the parties later sign a separate written data processing agreement for a particular customer relationship, that separately signed agreement controls over this public DPA to the extent of any inconsistency.

3. Definitions

• Customer Content means personal data and related content uploaded, submitted, generated, or otherwise processed by Customer or its authorized users through the Service.
• Applicable Data Protection Law means the privacy and data protection laws applicable to the relevant processing, including laws relating to children's data, health data, direct marketing, breach notification, and cross-border transfers.
• Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Content processed by NEXTON INTERACTIVE LIMITED as processor.

4. Roles of the Parties

Customer acts as controller, or as the controller's authorized representative, for Customer Content that it decides to upload, create, or process through the Service. NEXTON INTERACTIVE LIMITED acts as processor or service provider for that Customer Content.

NEXTON INTERACTIVE LIMITED remains an independent controller for data it processes for its own business and legal purposes, including account management, subscription and billing administration, service security, direct marketing preference management, support, fraud prevention, and legal compliance.

5. Processing Instructions

Customer instructs NEXTON INTERACTIVE LIMITED to process Customer Content solely to provide, secure, support, maintain, and improve the Service in accordance with the Terms, this DPA, documented customer configuration, and lawful documented instructions submitted through the Service or support channels.

NEXTON INTERACTIVE LIMITED may decline any instruction that is unlawful, technically incompatible with the Service, or would materially undermine the security, reliability, or rights of other customers or users.

6. Subject Matter, Duration, Nature, and Purpose

The subject matter of the processing is the delivery of FC Tactix to Customer. The duration of the processing lasts for as long as Customer uses the Service and for any additional period reasonably required for deletion, return, backup rotation, dispute resolution, security, or legal compliance.

The nature and purpose of the processing include hosting, organizing, storing, rendering, exporting, sharing, syncing, securing, troubleshooting, and otherwise making Customer Content available within the Service, including optional AI, collaboration, email, and billing related workflows where Customer chooses to use those features.

7. Confidentiality

NEXTON INTERACTIVE LIMITED will ensure that personnel who may access Customer Content are bound by confidentiality obligations and only access Customer Content where reasonably necessary to operate, secure, maintain, or support the Service.

8. Technical and Organizational Measures

NEXTON INTERACTIVE LIMITED will maintain reasonable technical and organizational measures designed to protect Customer Content against unauthorized or unlawful access, loss, destruction, misuse, or disclosure. A summary of the measures in place at the time of publication appears in Annex B.

Customer acknowledges that no online service can guarantee absolute security, and that the measures used for the Service may evolve over time so long as the overall security posture is not materially reduced.

9. Subprocessors

Customer authorizes NEXTON INTERACTIVE LIMITED to use subprocessors to support the Service. A current subprocessor schedule is published at /subprocessors.

At the time of this DPA, the public subprocessor schedule includes Neon, Vercel, OpenAI, Liveblocks, Sentry, Resend, Polar. NEXTON INTERACTIVE LIMITED will remain responsible for the acts and omissions of its subprocessors to the extent required by applicable law and the governing customer contract.

10. International Transfers

Customer acknowledges that FC Tactix operates from Kenya and uses subprocessors and infrastructure that may process personal data outside Kenya and outside Customer's home jurisdiction.NEXTON INTERACTIVE LIMITED will seek to rely on lawful transfer mechanisms, contractual commitments, and vendor safeguards that are appropriate for the relevant transfer.

11. Assistance With Data Subject Requests

Taking into account the nature of the processing and the functionality of the Service, NEXTON INTERACTIVE LIMITED will provide reasonable assistance to help Customer respond to data subject requests that relate to Customer Content, including requests for access, correction, deletion, restriction, portability, and objection, where legally required and technically feasible.

12. Security Incidents and Breach Assistance

If NEXTON INTERACTIVE LIMITED becomes aware of a Security Incident affecting Customer Content processed under this DPA, it will notify Customer without undue delay and provide the information reasonably available to it at the time, including the nature of the incident, the likely impact, and the mitigation steps taken or proposed where known.

Unless applicable law requires otherwise, Customer remains responsible for determining whether the incident triggers notification obligations to regulators, teams, players, guardians, or other affected persons.

13. Deletion and Return of Customer Content

During the subscription term, Customer may use available product functionality to export or delete certain Customer Content. Upon termination or documented request, NEXTON INTERACTIVE LIMITED will delete or return Customer Content from active systems within a reasonable period, unless retention is required by law or reasonably necessary for security, fraud prevention, legal claims, billing reconciliation, or dispute resolution.

Customer acknowledges that files, exports, caches, logs, and backups may persist for a limited period after deletion or replacement before they expire from all systems.

14. Audit and Information Rights

Because FC Tactix is a multi-tenant service, Customer's audit rights under this DPA will ordinarily be satisfied by this DPA, our public legal materials, our subprocessor schedule, and reasonable written responses to proportionate security or privacy questionnaires.

If Customer has a legally required audit right or a reasonable, documented need arising from a material Security Incident,NEXTON INTERACTIVE LIMITED and Customer will work in good faith on a proportionate remote review process, subject to confidentiality, security restrictions, protection of other customers, and reasonable cost allocation where permitted by law.

15. Children's Data

FC Tactix is not intended to be used directly by children under 13. Where Customer uploads or processes personal data relating to minors through adult-managed accounts, Customer is responsible for ensuring that it has authority to do so and that it has satisfied any applicable notice, permission, consent, or age-related requirements.

Customer must not use FC Tactix to knowingly permit direct self-signup by children under 13. If Customer uses the Service for users under the age of majority in the relevant jurisdiction, Customer remains responsible for ensuring the required parental, guardian, school, club, or other authorized adult involvement.

16. Sensitive Health Data

Customer acknowledges that injury and rehabilitation workflows in FC Tactix may involve sensitive personal data relating to health, including injury status, injury episodes, rehabilitation progress, expected return dates, return-to- training and return-to-play tracking, and notes that reveal physical or mental health status.

NEXTON INTERACTIVE LIMITEDwill process such data only to provide the Service in accordance with Customer's documented use of the Service and lawful instructions. Customer is solely responsible for deciding whether such data should be uploaded, determining the lawful basis for doing so, restricting internal access to authorized staff, and ensuring that any required notices or permissions have been given or obtained.

FC Tactix is not a medical device, healthcare provider, emergency response service, or clinical records platform. The Service, including any AI output, must not be used as a substitute for clinical judgment, diagnosis, treatment, or emergency response.

17. AI Features and AI Subprocessors

If Customer chooses to use AI features, NEXTON INTERACTIVE LIMITEDmay send prompts, supporting context, and generated output to AI subprocessors in order to provide the selected feature. Customer is responsible for deciding whether to include player, guardian, minor, health-related, or other sensitive data in AI workflows and must ensure it has the lawful basis, authority, and permissions to do so.

Customer should avoid submitting unnecessary sensitive data to AI features. AI outputs may be inaccurate or incomplete and must be reviewed by a qualified human user before use.

18. Liability and Survival

This DPA is subject to the liability framework, exclusions, and limitations set out in the Terms of Service unless applicable law requires otherwise. Provisions that by their nature should survive termination, including confidentiality, deletion, audit, liability, and dispute-related provisions, will survive for so long as relevant personal data remains under the control of the parties.

19. Updates

NEXTON INTERACTIVE LIMITED may update this DPA from time to time to reflect changes in the Service, legal requirements, subprocessors, or operational practices. The version published on this page will govern unless Customer and NEXTON INTERACTIVE LIMITED have signed a separate written processing agreement that states otherwise.

Annex A. Processing Details

Annex B. Security Measures Summary

• HTTPS or TLS in transit for the Service and supported APIs.
• Authenticated access controls, secure session handling, and optional two-factor authentication for supported accounts.
• Role-based permissions and workspace-level access controls for clubs and collaboration workflows.
• Managed cloud infrastructure for application hosting, database hosting, file storage, and operational monitoring.
• Restricted administrative access and environment-managed secrets for service operations.
• Private-access file flows and signed or controlled retrieval for supported uploads and generated exports.
• Operational logging, incident diagnostics, and monitoring designed to detect service faults, abuse, and security issues.
• Multi-tenant controls and internal processes intended to limit access to customer data to personnel and subprocessors who need it to provide or support the Service.

Annex C. Subprocessor Schedule

The current subprocessor schedule is published at /subprocessors. That schedule forms part of this DPA and may be updated from time to time as our operational infrastructure evolves.

Annex D. Customer Instructions for Children's and Sensitive Data

• Customer is responsible for determining and documenting its lawful basis for customer content uploaded to FC Tactix.
• Customer must provide any notices and obtain any permissions or consents required under applicable law before uploading children's data, guardian data, or sensitive health data.
• Customer must limit uploads to data that is relevant and reasonably necessary for the intended coaching, educational, administrative, or sporting purpose.
• Customer must restrict its own internal access to children's and health-related records to authorized staff with a legitimate need to know.
• Customer must not use FC Tactix AI features with children's or health-related data unless Customer has authority and lawful basis for that use and has assessed the risks of using AI in that workflow.
• Customer must not use the Service as a medical records platform, emergency service, or substitute for clinical judgment.

20. Contact

Questions about this DPA may be sent to contact@fctactix.com.

P.O BOX 632, 00618 - RUARAKA, NAIROBI, KENYA