Data Processing Agreement (DPA)

1. Parties

Controller: You, the user of BJJ App, who determines the purposes and means of processing personal data.

Processor: Toshiki Terasawa (sole proprietor), operating BJJ App at bjj-app.net.

2. Scope of Processing

We process personal data solely to provide the BJJ App training tracker service. Categories of data processed include:

• Account data (email, display name, avatar URL)
• Training data (session logs, technique notes, competition records)
• Body data (weight entries, injury records)
• Usage data (push notification tokens, cookie preferences)

3. Sub-processors

We use the following sub-processors:

4. Data Security Measures

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Row-Level Security (RLS) on all database tables
• Rate limiting on all API endpoints
• CSRF protection via SameSite cookies
• Security headers: CSP, HSTS, X-Frame-Options, Permissions-Policy
• Automated vulnerability scanning (npm audit, Dependabot)

5. Data Subject Rights

We support your exercise of data subject rights under GDPR Articles 15–22:

• Access & Portability: Export all your data via CSV or PDF at any time (free)
• Erasure: Delete your account from Profile → Account. 30-day recovery period, then permanent deletion.
• Rectification: Edit any personal data directly in the app
• Restriction: Contact us to restrict processing

6. Data Retention

See our Privacy Policy §9 for detailed retention periods by data category.

7. Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected data subjects without undue delay. See Privacy Policy §11 for our full incident response policy.

8. Contact

For DPA inquiries, data subject requests, or to request a signed copy of our full DPA:

307239t777@gmail.com