Data Processing Agreement
How we process data on behalf of your club.
Last updated: 4 April 2026
How to execute this DPA
This Data Processing Agreement is automatically incorporated into all paid Links Meridian subscription plans. No separate signature is required. By subscribing to a paid plan and using the platform, you agree to the terms of this DPA. Enterprise and Portfolio customers may request a custom DPA by contacting [email protected].
Contents
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between:
- Links Meridian Ltd("Processor", "we", "us", or "our"), the provider of the Links Meridian golf club management platform; and
- The subscribing golf club ("Controller", "you", or "your"), the entity that has entered into a subscription agreement for the Links Meridian platform.
This DPA applies automatically to all paid subscriptions and forms part of the Terms of Service between the parties. It sets out the terms on which the Processor will process personal data on behalf of the Controller in connection with the platform.
This DPA is made pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and Article 28 of the EU General Data Protection Regulation (EU GDPR).
2. Definitions
The following terms have the meanings set out below, aligned with the definitions in Article 4 of the GDPR:
- Personal Datameans any information relating to an identified or identifiable natural person (a "data subject").
- Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- Data Subject means the identified or identifiable natural person to whom the personal data relates.
- Sub-processor means any third party engaged by the Processor to process personal data on behalf of the Controller.
- Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- Supervisory Authority means an independent public authority established by a Member State or the UK responsible for monitoring the application of data protection law.
3. Data Processing Details
The following table summarises the key details of the data processing carried out under this DPA:
| Subject matter | Provision of the Links Meridian golf club management SaaS platform |
| Duration | The term of the subscription agreement |
| Nature and purpose | Storage, retrieval, and processing of club member and operational data to provide the platform services |
| Categories of data subjects | Club members, guests, and staff |
| Types of personal data | Names, email addresses, phone numbers, membership details, booking history, financial transactions, community content, handicap data |
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
- Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures as described in our security practices
- Assist the Controller in responding to data subject access requests and in fulfilling obligations under Articles 32 to 36 of the GDPR
- Delete or return all personal data to the Controller on termination of the subscription, at the Controller's choice, unless applicable law requires continued storage
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller
5. Sub-processing
The Controller provides general written authorisation for the Processor to engage sub-processors to carry out specific processing activities. A current list of sub-processors is maintained at linksmeridian.com/subprocessors.
The Processor shall provide the Controller with at least 30 days' advance written notice before adding or replacing any sub-processor. The Controller may object to the appointment of a new sub-processor within 14 days of receiving notice.
If the Controller raises a reasonable objection and the parties are unable to resolve the matter, the Controller may terminate the affected services without penalty.
The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the compliance of its sub-processors.
6. International Transfers
Where personal data is transferred outside the country of origin, the Processor ensures appropriate safeguards are in place:
- UK transfers: the UK International Data Transfer Agreement (IDTA) is used as the transfer mechanism for personal data originating in the United Kingdom
- EU transfers: the EU Standard Contractual Clauses (SCCs), Module 3 (Processor-to-Sub-processor), as approved by the European Commission, are used for personal data originating in the European Economic Area
- US customers: personal data for US-based clubs is stored on US-hosted infrastructure and is not transferred to other regions unless required to deliver a specific service
7. Security Measures
The Processor implements the technical and organisational measures described in Annex II of this DPA. A summary of key measures includes:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of sensitive data at rest using AES-256-GCM
- Role-based access controls with least-privilege policies
- Complete tenant isolation between clubs on the platform
- Detailed audit logging of data access and changes
- Regular security assessments and vulnerability testing
Full details of our security practices are available at linksmeridian.com/security.
8. Data Breach Notification
In the event of a data breach, the Processor shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.
The notification shall include:
- The nature of the data breach, including where possible the categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
- The name and contact details of the Processor's point of contact for further information
The Processor shall cooperate with the Controller in investigating, remediating, and responding to the breach, including assisting the Controller in meeting its notification obligations to supervisory authorities and data subjects.
9. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restriction of processing
- Right to object
The platform provides self-service data export tools that enable the Controller to respond to data portability and access requests directly.
The Processor will not respond directly to data subjects unless instructed to do so by the Controller, except to direct the data subject to the Controller.
10. Term and Termination
This DPA is effective for the duration of the subscription agreement between the parties.
On termination of the subscription:
- All personal data processed under this DPA will remain available for export for a period of 90 days
- After the 90-day export period, all personal data will be permanently deleted from active systems and backups
- Financial records will be retained for the minimum period required by applicable law (typically 7 years)
This DPA shall survive termination of the subscription to the extent necessary to give effect to its provisions regarding data deletion, confidentiality, and liability.
Annex I: Data Processing Details
| Category | Details |
|---|---|
| Data controller | The subscribing golf club or course operator |
| Data processor | Links Meridian Ltd |
| Data subjects | Club members, guests, prospective members, staff, and other individuals whose data is entered into the platform |
| Categories of data | Names, email addresses, phone numbers, postal addresses, membership details, booking history, financial transactions, handicap data, community content, profile preferences |
| Sensitive data | None processed by default. If the Controller chooses to store special category data (e.g., health or disability information for accessibility purposes), this is done at the Controller's discretion and responsibility. |
| Frequency of transfer | Continuous, as data is entered and updated through the platform |
| Retention period | Duration of subscription plus 90-day export period. Financial records retained for 7 years as required by law. |
| Subject matter and nature | Cloud-hosted SaaS platform for golf club management, including member administration, booking management, point-of-sale, communications, and analytics |
| Purpose | To provide the Controller with the golf club management platform and related services as described in the subscription agreement |
| Lawful basis | Performance of a contract between the Controller and the Processor (Article 6(1)(b) GDPR), and the Controller's legitimate interests in managing club operations (Article 6(1)(f) GDPR) |
Annex II: Technical and Organisational Measures
The Processor implements the following technical and organisational measures to protect personal data:
Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Sensitive data at rest is encrypted using AES-256-GCM
- Database connections are encrypted in transit
Access Control
- Role-based access control (RBAC) enforced at the application and database levels
- Multi-factor authentication (MFA) ready for all administrative accounts
- Least-privilege access policies for all internal personnel
Network Security
- Complete tenant isolation between clubs on the platform
- Private backend networks with no direct public access
- Firewall rules restricting traffic to authorised services only
Data Management
- Automated daily backups with encryption
- 30-day backup retention with point-in-time recovery
- Geographically separate backup storage for disaster recovery
Monitoring
- Real-time error tracking and performance monitoring
- Automated alerts for anomalous activity and system events
- Detailed audit logging of all data access and administrative actions
Incident Response
- 24/7 infrastructure monitoring and alerting
- 72-hour breach notification commitment as detailed in Section 8
- Post-incident review process with root cause analysis and remediation tracking
For full details of our security practices, visit linksmeridian.com/security.