Data Processing Agreement

Effective date: May 24, 2026 · Pinnacle Club Solutions LLC · Fort Worth, Texas

This DPA applies automatically to all Pinnacle subscribers and supplements the Terms of Service. Execution of a separate DPA is available on request at legal@pinnacleclubs.net.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Pinnacle Club Solutions LLC (“Processor” or “Pinnacle”) and the subscribing organization (“Controller” or “Customer”). It governs the processing of personal data by Pinnacle on behalf of the Customer in connection with the Pinnacle platform.

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent data protection laws where applicable.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person processed by Pinnacle on behalf of Customer in connection with the Service.
“Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
“Controller” means the Customer, the organization that determines the purposes and means of processing Personal Data.
“Processor” means Pinnacle Club Solutions LLC, the entity that processes Personal Data on behalf of the Controller.
“Sub-processor” means a third party engaged by Pinnacle to process Personal Data in connection with the Service.
“Data Subject” means an individual whose Personal Data is processed, typically club members, staff, and vendors.

2. Nature and Purpose of Processing

Pinnacle processes Personal Data to provide the Service as described in the Terms of Service. The nature, purpose, and subject matter of processing is:

Category	Data Types	Purpose
Club member records	Name, email, phone, member number, membership type, account balance	Member billing, AR management, F&B minimum tracking
Staff / user accounts	Name, email, role, login activity	Platform access, RBAC enforcement, audit trail
Vendor records	Company name, contact name, email, address, payment terms	Purchase order processing, vendor management
Financial records	Charge amounts, payment dates, journal entries	Billing, accounting, GL reporting
Operational data	Inventory counts, PO records, recipe data, work orders	Operations management

3. Processor Obligations

Pinnacle shall:

Process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA), unless required to do so by applicable law
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures as described in Section 5
Not engage a Sub-processor without prior written authorization from the Controller (general authorization granted per Section 6)
Assist the Controller in fulfilling its obligations to respond to Data Subject requests regarding the exercise of their rights under applicable data protection law
Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required
Delete or return all Personal Data to the Controller at the end of the service relationship, as specified in Section 7
Make available to the Controller all information necessary to demonstrate compliance with this DPA

4. Controller Obligations

The Controller shall:

Ensure there is a lawful basis for processing Personal Data as required under applicable data protection law
Obtain any required consents from Data Subjects (e.g. club members) for the processing described in this DPA
Ensure that Personal Data provided to Pinnacle is accurate and up to date
Not instruct Pinnacle to process Personal Data in a manner that would violate applicable law
Be responsible for configuring platform access controls and role-based permissions appropriately

5. Security Measures

Pinnacle implements the following technical and organizational measures to protect Personal Data:

Encryption in transit: TLS encryption on all data transmission. No plaintext HTTP.
Access control: Server-side role-based access control (RBAC). Five roles with defined permissions. Authentication via NextAuth.js with bcrypt password hashing.
Organizational isolation: Multi-tenant architecture with structural org isolation, every database query scoped by organization ID. Cross-tenant data access is architecturally prevented.
Infrastructure security: Cloudflare DDoS protection and WAF. No direct server exposure.
Database security: Parameterized queries (no SQL injection risk). Managed PostgreSQL with automated backups and point-in-time recovery.
Incident response: Pinnacle will notify the Controller within 72 hours of becoming aware of a Personal Data breach, as required by GDPR Article 33.

6. Sub-processors

The Controller grants Pinnacle general authorization to engage the following Sub-processors. Pinnacle will notify the Controller of any intended changes at least 30 days in advance.

Sub-processor	Location	Purpose
Neon (Neon Inc.)	United States	PostgreSQL database hosting and storage
Stripe, Inc.	United States	Payment processing and subscription billing
Resend (Resend Inc.)	United States	Transactional email delivery
Twilio Inc.	United States	SMS alert delivery
Cloudflare, Inc.	United States	CDN, DDoS protection, WAF, DNS
Vercel Inc.	United States	Application hosting and edge delivery

Each Sub-processor is subject to contractual data protection obligations equivalent to those in this DPA. Pinnacle remains liable to the Controller for Sub-processor compliance.

7. Data Retention and Deletion

Upon termination of the Terms of Service, Pinnacle will retain Customer Personal Data for 90 days during which the Controller may export all data via the platform export functionality. After 90 days, Pinnacle will permanently delete all Customer Personal Data from production systems within 30 days. Backups containing Personal Data will be purged within 60 days of the deletion date.

Pinnacle may retain anonymized, aggregated data (with no individual or organization identifiable) for product improvement purposes indefinitely.

8. Data Subject Rights

The Controller is the Data Controller responsible for responding to Data Subject rights requests (access, rectification, erasure, portability, objection). Pinnacle will assist the Controller in fulfilling these requests by providing the technical means to export, correct, or delete Personal Data within the platform.

For requests Pinnacle cannot fulfill through platform tools alone, the Controller may submit a written request to privacy@pinnacleclubs.net. Pinnacle will respond within 10 business days.

9. International Data Transfers

Personal Data processed under this DPA is stored and processed in the United States. Transfers of Personal Data from the European Economic Area (EEA) to the United States are made pursuant to the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are incorporated into this DPA by reference. A copy of the applicable SCCs is available on request at legal@pinnacleclubs.net.

10. Audit Rights

Pinnacle shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an annual security audit or review of relevant documentation by providing 30 days written notice. Pinnacle may require the Controller to use a mutually agreed third-party auditor and to execute a confidentiality agreement before providing access to audit materials.

11. Term

This DPA is effective for the duration of Pinnacle’s processing of Personal Data under the Terms of Service. Obligations that by their nature should survive termination (security, deletion, confidentiality) remain in effect for 3 years after termination.

12. Governing Law

This DPA is governed by the laws of the State of Texas, consistent with the governing law of the Terms of Service. For EU/EEA Customers, GDPR requirements take precedence where applicable law requires.

13. Contact

Data protection questions, DPA execution requests, Data Subject rights requests:
Pinnacle Club Solutions LLC
Fort Worth, Texas
privacy@pinnacleclubs.net

Note: This DPA is a standard agreement. Enterprise customers requiring a customized or countersigned DPA should contact legal@pinnacleclubs.net. All legal documents should be reviewed by qualified counsel before reliance.