Data Processing Addendum
Last updated: 2026-05-24
For the clubs, leagues, and associations that run on Midfield: how we handle the member data you put into the platform. Plain English. The version your board can read.
1. What this covers
This Data Processing Addendum (“DPA”) applies when Midfield HQ, Inc. (“Midfield”) processes personal data on behalf of an organization (a club, league, team, tournament, or association) that uses Midfield (the “organization”). It forms part of, and is governed by, the Terms of Service at /legal/terms.
In plain terms: the organization decides what member data goes into Midfield and why (the organization is the “controller”), and Midfield handles that data on the organization’s behalf (Midfield is the “processor”). This DPA describes how.
2. What we process, and why
Midfield processes personal data only to provide the service the organization signed up for: registration, payments and payouts, rosters and scheduling, communications, forms and e-signatures, safety tracking, and reporting.
Categories of data: account and contact details, household and player information (including age group and optional medical or accommodation fields a household provides), payment records (card numbers stay with the payment processor), forms and consents, communications, and usage logs.
Categories of data subjects: the organization’s administrators, coaches, and staff; parents and guardians; and players, including minors.
Duration: for as long as the organization’s account is active, plus any period required to meet legal, audit, or dispute obligations.
3. Our commitments as processor
Midfield will:
- Process personal data only on the organization’s documented instructions (including those given through normal use of the product), unless law requires otherwise.
- Keep personal data confidential and ensure people authorized to process it are bound by confidentiality.
- Maintain appropriate technical and organizational security measures: encryption in transit, tenant isolation, role-based access, and an append-only audit trail (see /security).
- Help the organization respond to requests from individuals (access, correction, deletion, portability) using the product’s tools or reasonable support.
- Help the organization with its own obligations for security, breach notification, and data protection assessments, taking into account the information available to us.
- Return or delete personal data at the end of the engagement, as described in Section 8.
4. Sub-processors
Midfield uses a small set of vendors (“sub-processors”) to operate the service. We describe them by category: payment processing, email delivery, text-message (SMS) delivery, cloud hosting and database, object storage and content delivery, push notifications, and product analytics.
A current list of named sub-processors is available on request at privacy@midfieldhq.com. We require each sub-processor, by contract, to protect personal data to a standard at least as protective as this DPA, and we remain responsible for their performance.
If we add or replace a sub-processor in a way that materially affects an organization’s data, we will provide notice (for example, by email or an in-app or website update). An organization may object on reasonable data-protection grounds; if we cannot resolve the concern, the organization may stop using the affected feature or terminate as provided in the Terms.
5. International data transfers
Midfield is operated from the United States and processes personal data there. Where personal data is transferred from the EEA, the UK, or other regions that require it, we rely on appropriate safeguards such as Standard Contractual Clauses or another lawful transfer mechanism.
6. Individual rights requests
If an individual contacts Midfield directly to exercise their rights over data held inside an organization’s account, we will promptly forward the request to that organization and will not respond on the organization’s behalf except on its instructions or as required by law. We provide tools and reasonable assistance so the organization can fulfill these requests.
7. If there’s a data breach
If Midfield becomes aware of a personal-data breach affecting an organization’s data, we will notify the organization without undue delay, share what we reasonably know about what happened and what data was involved, and describe the steps we are taking. This helps the organization meet its own notification obligations.
8. Demonstrating compliance, and ending the engagement
On reasonable request, Midfield will provide information needed to show we are meeting this DPA, and will allow reasonable audits (including by a third party the organization appoints) on reasonable notice, no more than once a year except where law or a regulator requires more, and conducted so as not to disrupt the service or other customers.
When an organization’s account ends, Midfield will, at the organization’s choice, return its personal data in an open, standard format or delete it, within a reasonable period. The exception is copies we must keep by law or that exist in routine backups, which we protect and delete on their normal cycle.
9. Order of precedence
If anything in this DPA conflicts with the Terms of Service on the subject of data protection, this DPA controls for that subject.
10. Contact
Data-protection questions, sub-processor lists, or a signed copy of this DPA: privacy@midfieldhq.com. See also our Privacy Policy and Terms of Service.