Login
Signup

Data Processing Agreement

Last updated: January 21, 2026

This Data Processing Agreement (“Agreement”) forms part of and supplements the Terms of Service and Privacy Policy of B.E.S.A LLC (1601 Willow Lawn Dr Suite 304, The Shops at Willow Lawn, Richmond, VA 23223, United States) (“BESA Coaching,” “we,” “us,” or “our”) and is entered into with you (“Customer,” “you,” or “your”), as the Data Controller, regarding the use of services provided via https://besacoaching.com/ (“Services”).

This Agreement governs the processing of Personal Data by BESA Coaching on your behalf, in accordance with applicable Data Protection Laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy legislation.

  1. Definitions

Unless otherwise defined in this Agreement, capitalized terms have the meaning given in the Privacy Policy or under applicable Data Protection Laws.

Term

Definition

Personal Data

Any information relating to an identified or identifiable natural person.

Data Controller

The entity that determines the purposes and means of processing Personal Data (you).

Data Processor

The entity that processes Personal Data on behalf of the Data Controller (B.E.S.A LLC).

Subprocessor

Any third party engaged by B.E.S.A LLC to process Personal Data on your behalf.

Data Protection Laws

All applicable laws and regulations relating to the processing of Personal Data, including the GDPR, CCPA, and relevant local legislation.

Services

The coaching platform, related applications, and services offered by B.E.S.A LLC.

Data Subject

The individual whose Personal Data is processed.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

 2.Scope and Roles

  • You, as the Customer, are the Data Controller.
  • B.E.S.A LLC acts as the Data Processor, processing Personal Data solely on your behalf, as described in our Privacy Policy.
  • This Agreement applies to all Personal Data processed by us while providing Services, including data relating to minors (with parental consent), clients, coaches, contractors, and other users.
  1. Nature, Purpose, and Duration of Processing

3.1. Nature and Purpose

We process Personal Data strictly for the following purposes:

  • Provision, operation, and improvement of the Services;
  • Account creation, management, and authentication;
  • Facilitating coaching sessions and communications, including collecting notes and feedback;
  • Processing payments and fulfilling legal, contractual, or compliance obligations;
  • Ensuring platform safety, security, and integrity, including fraud prevention and incident detection;
  • Compliance with applicable legal requirements (including identity verification, background checks, and tax laws);
  • Responding to user requests and assisting with the exercise of Data Subject rights;
  • Internal analytics and reporting.

3.2. Categories of Personal Data Processed

The categories of Personal Data processed include but are not limited to:

  • Personal identifiers (names, addresses, contact details, date of birth, ID numbers, etc.);
  • Account credentials and authentication data;
  • Payment and billing information (processed securely via third-party payment providers);
  • Coaching session data (session notes, schedules, communications, resources shared);
  • User-generated content (feedback, reviews, surveys, uploads, documents);
  • Technical and usage data (IP address, device/browser info, cookies, log data);
  • Information relating to minors and parental/guardian consents, where applicable;
  • Coach and contractor background and credential information.

3.3. Special Categories of Data

If you instruct us to process Special Categories of Personal Data (such as health data, racial or ethnic origin, or other sensitive data), you are responsible for obtaining explicit consent from Data Subjects or otherwise ensuring lawful processing.

3.4. Duration

Personal Data shall be processed for the duration of the Services, unless otherwise required by law or as set forth in Section 9 (Data Retention and Deletion).

  1. Processor Obligations

B.E.S.A LLC shall:

  • Process Personal Data only on documented instructions from you, including with regard to international data transfers, unless otherwise required by law. If required by law, we will inform you of that legal requirement before processing, unless prohibited by law;
  • Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as outlined in our Privacy Policy and in accordance with Article 32 of the GDPR;
  • Provide reasonable assistance to you in ensuring compliance with Data Protection Laws, including obligations related to security, data breach notification, Data Protection Impact Assessments (DPIA), and consultation with supervisory authorities;
  • Promptly notify you (without undue delay and in any event within 72 hours) upon becoming aware of any Personal Data Breach affecting your Personal Data, providing sufficient information to assist you in meeting your legal obligations;
  • Maintain a record of all categories of processing activities carried out on your behalf, as required by applicable laws;
  • Not process Personal Data outside the scope of this Agreement or your instructions.
  1. Subprocessing
  • We may engage Subprocessors (such as payment processors, IT providers, or background check agencies) to assist in providing the Services.
  • A current list of Subprocessors is available upon request. We ensure all Subprocessors are contractually bound by data protection obligations at least equivalent to those in this Agreement.
  • We will notify you in advance of any intended changes to Subprocessors, giving you the opportunity to object on reasonable grounds within 14 days of notification.
  • If you object to a Subprocessor and a resolution cannot be reached, you may terminate the affected Services with written notice, without penalty.
  1. International Data Transfers
  • Personal Data may be processed and stored in the United States or other countries as necessary for the provision of the Services.
  • Where Personal Data is transferred outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, we will ensure appropriate safeguards (such as EU Standard Contractual Clauses, UK IDTA, or other approved mechanisms) are in place.
  • By using our Services, you consent to such transfers, subject to these safeguards.
  1. Data Subject Rights
  • We will assist you, to the extent reasonably possible, in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
  • If we receive a Data Subject request directly, we will promptly notify you and, unless legally prohibited, act only upon your documented instructions.
  1. Security
  • We implement and maintain industry-standard technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Security measures include, but are not limited to: data encryption in transit and at rest, access controls, employee training, regular security assessments, and incident response plans.
  • Security measures are regularly reviewed and updated in accordance with technological developments and regulatory requirements.
  1. Data Retention and Deletion
  • Upon termination or expiration of Services, and at your documented request, we will, within 30 days, delete or return all Personal Data (including copies), unless retention is required by law or necessary for the establishment, exercise, or defense of legal claims.
  • Backup copies may be retained for a limited period as required for disaster recovery, regulatory, or contractual obligations, after which they will be securely deleted.
  • Upon deletion or return, we will certify in writing that deletion is complete, if requested.
  1. Audit and Compliance
  • Upon reasonable written notice, and no more than once per calendar year (unless required by law or following a Personal Data Breach), you or your authorized representative may audit our compliance with this Agreement, subject to reasonable confidentiality, security, and operational constraints.
  • We will provide information, documentation, and access to relevant personnel as necessary to demonstrate compliance.
  • You are responsible for the costs of any audit. Any third-party auditor must be mutually agreed upon and bound by confidentiality.
  1. Confidentiality
  • All information exchanged under this Agreement, including Personal Data and audit findings, shall be treated as confidential and not disclosed to third parties except as required by law or as necessary for the provision of Services.
  • This confidentiality obligation survives termination of the Agreement.
  1. Liability and Indemnity
  • Each party remains responsible for its own compliance with Data Protection Laws and for fulfilling its respective Data Controller or Data Processor obligations.
  • You agree to indemnify, defend, and hold harmless B.E.S.A LLC against all claims, losses, damages, liabilities, penalties, and costs arising out of or relating to your instructions, failure to comply with Data Protection Laws, or your use of the Services in breach of this Agreement.
  1. Governing Law and Jurisdiction
  • This Agreement is governed by the laws of the United States and the Commonwealth of Virginia, without regard to conflict of law principles.
  • Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Richmond City County, Virginia.
  1. Contact

For any questions or requests regarding this Agreement or our data processing practices, please contact us at:
support@besacoaching.com

 15.Updates

We may update this Agreement to reflect changes in law, best practices, or our Services. Material updates will be posted on our website and, where appropriate, notified to you. Continued use of the Services after such updates constitutes acceptance of the revised Agreement.

Last updated on: May 04, 2024

This Data Processing Agreement (”Agreement”) forms a legally binding contract between you and B.E.S.A LLC (based in 1601 Willow Lawn Dr Suite 304 The Shops at Willow Lawn, Richmond, VA 23223, United States) and applies to the extent to which B.E.S.A LLC processes Customer Personal Data on your behalf when you are the Data Controller, WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

  1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means:

1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or

1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.9 “Services” means the platform for life coaches that the Company provides.

1.1.10 “Subprocessor” means any person appointed by or on behalf of a Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

  1. Processing of Company Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.

2.2 The Company instructs the Processor to process Company Personal Data.

  1. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  1. Security

4.1 Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, the Processor shall take into account, in particular, the risks that are presented by Processing, in particular from a Personal Data Breach.

  1. Subprocessing

5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorised by the Company.

  1. Data Subject Rights

6.1 Considering the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as is possible, for the fulfilment of the Company obligations, as reasonably understood by the Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Processor shall:

6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of the Company or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the Contracted Processor responds to the request.

  1. Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Processor shall cooperate with the Company and take reasonable commercial steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

  1. Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
  2. Deletion or return of Company Personal Data

9.1 Subject to this section 9 Processor shall promptly and in any event within

10 business days from the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

  1. Audit rights

10.1 Subject to this section 10, the Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.

10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

  1. Data Transfer

11.1 The Processor may not transfer or authorise the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

  1. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law;

(b) the relevant information is already in the public domain.

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

  1. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of the United States.

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Richmond City County, California.