Skip to content

Data Processing Agreement

How we process data on behalf of your club.

Last updated: 4 April 2026

How to execute this DPA

This Data Processing Agreement is automatically incorporated into all paid Links Meridian subscription plans. No separate signature is required. By subscribing to a paid plan and using the platform, you agree to the terms of this DPA. Enterprise and Portfolio customers may request a custom DPA by contacting [email protected].

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

  • Links Meridian Ltd("Processor", "we", "us", or "our"), the provider of the Links Meridian golf club management platform; and
  • The subscribing golf club ("Controller", "you", or "your"), the entity that has entered into a subscription agreement for the Links Meridian platform.

This DPA applies automatically to all paid subscriptions and forms part of the Terms of Service between the parties. It sets out the terms on which the Processor will process personal data on behalf of the Controller in connection with the platform.

This DPA is made pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and Article 28 of the EU General Data Protection Regulation (EU GDPR).

2. Definitions

The following terms have the meanings set out below, aligned with the definitions in Article 4 of the GDPR:

  • Personal Datameans any information relating to an identified or identifiable natural person (a "data subject").
  • Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • Data Subject means the identified or identifiable natural person to whom the personal data relates.
  • Sub-processor means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • Supervisory Authority means an independent public authority established by a Member State or the UK responsible for monitoring the application of data protection law.

3. Data Processing Details

The following table summarises the key details of the data processing carried out under this DPA:

Subject matterProvision of the Links Meridian golf club management SaaS platform
DurationThe term of the subscription agreement
Nature and purposeStorage, retrieval, and processing of club member and operational data to provide the platform services
Categories of data subjectsClub members, guests, and staff
Types of personal dataNames, email addresses, phone numbers, membership details, booking history, financial transactions, community content, handicap data

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
  • Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations
  • Implement appropriate technical and organisational security measures as described in our security practices
  • Assist the Controller in responding to data subject access requests and in fulfilling obligations under Articles 32 to 36 of the GDPR
  • Delete or return all personal data to the Controller on termination of the subscription, at the Controller's choice, unless applicable law requires continued storage
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller

5. Sub-processing

The Controller provides general written authorisation for the Processor to engage sub-processors to carry out specific processing activities. A current list of sub-processors is maintained at linksmeridian.com/subprocessors.

The Processor shall provide the Controller with at least 30 days' advance written notice before adding or replacing any sub-processor. The Controller may object to the appointment of a new sub-processor within 14 days of receiving notice.

If the Controller raises a reasonable objection and the parties are unable to resolve the matter, the Controller may terminate the affected services without penalty.

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the compliance of its sub-processors.

6. International Transfers

Where personal data is transferred outside the country of origin, the Processor ensures appropriate safeguards are in place:

  • UK transfers: the UK International Data Transfer Agreement (IDTA) is used as the transfer mechanism for personal data originating in the United Kingdom
  • EU transfers: the EU Standard Contractual Clauses (SCCs), Module 3 (Processor-to-Sub-processor), as approved by the European Commission, are used for personal data originating in the European Economic Area
  • US customers: personal data for US-based clubs is stored on US-hosted infrastructure and is not transferred to other regions unless required to deliver a specific service

7. Security Measures

The Processor implements the technical and organisational measures described in Annex II of this DPA. A summary of key measures includes:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest using AES-256-GCM
  • Role-based access controls with least-privilege policies
  • Complete tenant isolation between clubs on the platform
  • Detailed audit logging of data access and changes
  • Regular security assessments and vulnerability testing

Full details of our security practices are available at linksmeridian.com/security.

8. Data Breach Notification

In the event of a data breach, the Processor shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.

The notification shall include:

  • The nature of the data breach, including where possible the categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
  • The name and contact details of the Processor's point of contact for further information

The Processor shall cooperate with the Controller in investigating, remediating, and responding to the breach, including assisting the Controller in meeting its notification obligations to supervisory authorities and data subjects.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to restriction of processing
  • Right to object

The platform provides self-service data export tools that enable the Controller to respond to data portability and access requests directly.

The Processor will not respond directly to data subjects unless instructed to do so by the Controller, except to direct the data subject to the Controller.

10. Term and Termination

This DPA is effective for the duration of the subscription agreement between the parties.

On termination of the subscription:

  • All personal data processed under this DPA will remain available for export for a period of 90 days
  • After the 90-day export period, all personal data will be permanently deleted from active systems and backups
  • Financial records will be retained for the minimum period required by applicable law (typically 7 years)

This DPA shall survive termination of the subscription to the extent necessary to give effect to its provisions regarding data deletion, confidentiality, and liability.

Annex I: Data Processing Details

CategoryDetails
Data controllerThe subscribing golf club or course operator
Data processorLinks Meridian Ltd
Data subjectsClub members, guests, prospective members, staff, and other individuals whose data is entered into the platform
Categories of dataNames, email addresses, phone numbers, postal addresses, membership details, booking history, financial transactions, handicap data, community content, profile preferences
Sensitive dataNone processed by default. If the Controller chooses to store special category data (e.g., health or disability information for accessibility purposes), this is done at the Controller's discretion and responsibility.
Frequency of transferContinuous, as data is entered and updated through the platform
Retention periodDuration of subscription plus 90-day export period. Financial records retained for 7 years as required by law.
Subject matter and natureCloud-hosted SaaS platform for golf club management, including member administration, booking management, point-of-sale, communications, and analytics
PurposeTo provide the Controller with the golf club management platform and related services as described in the subscription agreement
Lawful basisPerformance of a contract between the Controller and the Processor (Article 6(1)(b) GDPR), and the Controller's legitimate interests in managing club operations (Article 6(1)(f) GDPR)

Annex II: Technical and Organisational Measures

The Processor implements the following technical and organisational measures to protect personal data:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Sensitive data at rest is encrypted using AES-256-GCM
  • Database connections are encrypted in transit

Access Control

  • Role-based access control (RBAC) enforced at the application and database levels
  • Multi-factor authentication (MFA) ready for all administrative accounts
  • Least-privilege access policies for all internal personnel

Network Security

  • Complete tenant isolation between clubs on the platform
  • Private backend networks with no direct public access
  • Firewall rules restricting traffic to authorised services only

Data Management

  • Automated daily backups with encryption
  • 30-day backup retention with point-in-time recovery
  • Geographically separate backup storage for disaster recovery

Monitoring

  • Real-time error tracking and performance monitoring
  • Automated alerts for anomalous activity and system events
  • Detailed audit logging of all data access and administrative actions

Incident Response

  • 24/7 infrastructure monitoring and alerting
  • 72-hour breach notification commitment as detailed in Section 8
  • Post-incident review process with root cause analysis and remediation tracking

For full details of our security practices, visit linksmeridian.com/security.