Last updated: April 2, 2026
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Terms of Service and any order form, subscription agreement, or other written agreement between Pono Software Inc. (“Pono”) and the customer using the Services (“Customer”) (collectively, the “Agreement”). This DPA applies where and to the extent Pono processes Customer Personal Data on Customer’s behalf and Applicable Data Protection Law requires a controller-processor or business-service provider/contractor agreement.
If there is a conflict between this DPA and the Agreement as to Customer Personal Data, this DPA controls.
1. Definitions
“Applicable Data Protection Law” means any law applicable to Pono’s processing of Customer Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, and the California Consumer Privacy Act, as amended by the California Privacy Rights Act, together with implementing regulations (“CCPA/CPRA”).
“Customer Account Data” means personal data relating to Customer’s business relationship with Pono, including billing, account administration, and support-contact information, which Pono processes as controller or business for its own operations and which is not Customer Personal Data.
“Customer Personal Data” means personal data processed by Pono on Customer’s behalf in connection with the Services, excluding Customer Account Data.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
“Subprocessor” means a third party engaged by Pono to process Customer Personal Data on Pono’s behalf.
2. Roles and Instructions
2.1 Roles. Customer is the controller or business, as applicable, and Pono is the processor, service provider, or contractor, as applicable, for Customer Personal Data.
2.2 Documented instructions. The Agreement, this DPA, Customer’s configuration and use of the Services, Customer’s written support requests, and Customer’s other written instructions constitute Customer’s documented instructions to Pono.
2.3 Authorized processing. Pono may process Customer Personal Data only as reasonably necessary to provide the Services and the specific business purposes described in the Agreement and this DPA, including to host, store, retrieve, transmit, secure, maintain, back up, troubleshoot, support, export, and delete Customer Personal Data, prevent fraud or abuse, and comply with law. Pono will limit access to Customer Personal Data to personnel and agents who need that access for those purposes and who are bound by confidentiality obligations.
2.4 AI-powered features. If Customer or Customer’s authorized users enable or use AI-powered features, Customer instructs Pono to process relevant Customer Personal Data, including through contracted AI service providers, as reasonably necessary to provide those features, store related inputs and outputs within the Services and associated logs available through the account, provide support, maintain records, and secure the Services.
2.5 International processing. Customer authorizes Pono to process Customer Personal Data in Canada, the United States, and other countries where Pono or its Subprocessors operate, provided Pono complies with Applicable Data Protection Law. To the extent Customer Personal Data subject to GDPR or UK GDPR is transferred to a country not covered by an applicable adequacy decision, Pono will implement the transfer safeguard required by Applicable Data Protection Law, including the EU Standard Contractual Clauses and, where applicable, the UK Addendum, each incorporated by reference to the extent required.
2.6 No sale or independent marketing use. Pono will not sell or share Customer Personal Data, use it for its own independent marketing purposes, or use it outside the scope of this DPA and the Agreement. Pono may use aggregated or de-identified information that does not identify any individual to analyze, improve, and develop the Services.
3. Customer Responsibilities
Customer is responsible for complying with Applicable Data Protection Law as it applies to Customer’s use of the Services, providing required notices and obtaining required rights or consents, ensuring its instructions are lawful, and responding to data subject or consumer requests except to the extent Pono must assist under law or this DPA.
4. Pono Obligations
4.1 Processing only on instructions. Pono will process Customer Personal Data only on Customer’s documented instructions, unless otherwise required by law. If applicable law requires other processing, Pono will inform Customer before processing unless the law prohibits notice. If Pono becomes aware that a Customer instruction infringes Applicable Data Protection Law, Pono will inform Customer without undue delay.
4.2 Confidentiality and security. Pono will ensure that persons authorized to process Customer Personal Data are subject to an appropriate duty of confidentiality and will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
4.3 Subprocessors. Customer gives Pono general written authorization to engage Subprocessors. Pono will ensure each Subprocessor is bound by written obligations materially no less protective of Customer Personal Data than those in this DPA, to the extent applicable to the services performed by that Subprocessor. Pono remains responsible for its Subprocessors to the extent required by law. Pono will make available a current list of material Subprocessors on request and, where required by law, will provide reasonable notice of material additions or replacements and a reasonable opportunity to object on legitimate data protection grounds.
4.4 Assistance. Taking into account the nature of the processing and the information available to Pono, Pono will provide reasonable assistance to Customer to enable Customer to respond to rights requests and comply with obligations relating to security, breach notifications, data protection impact assessments, prior consultations, and similar obligations under Applicable Data Protection Law.
4.5 Personal Data Breach. Pono will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably necessary for Customer to meet its legal obligations.
4.6 Return and deletion. Upon termination or expiration of the Agreement, and subject to the functionality of the Services and applicable law, Pono will, at Customer’s choice, return or make available for export Customer Personal Data and delete Customer Personal Data, unless retention is required by law. Backup copies may be retained until deleted or overwritten in the ordinary course of business, provided they remain protected and are not further processed except as required by law.
4.7 Compliance information and audits. Pono will make available information reasonably necessary to demonstrate compliance with this DPA. Pono may satisfy this obligation by providing current third-party audit reports, security summaries, or similar documentation, where available. If that information is insufficient and Applicable Data Protection Law requires further review, Customer may, no more than once every 12 months and on reasonable prior written notice, conduct or appoint an independent auditor that is not a competitor of Pono to conduct a reasonable audit during normal business hours, subject to appropriate confidentiality, security, and minimal-disruption requirements. Customer will bear the costs of any such audit unless the audit establishes material non-compliance by Pono with this DPA.
4.8 Inability to comply. If Pono determines that it can no longer meet its obligations under this DPA, Pono will promptly notify Customer.
5. California-Specific Terms
To the extent the CCPA/CPRA applies to Customer Personal Data, the parties agree that Customer is the “business” and Pono is the “service provider” or “contractor,” as applicable. The specific and limited business purposes for which Pono processes Customer Personal Data are those described in Section 2.3 and Schedule 1. Pono will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific and limited business purposes described in the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Pono; or (d) combine Customer Personal Data received from Customer with personal information received from another person or collected from Pono’s own interaction with an individual, except as permitted by the CCPA/CPRA. Pono will provide the same level of privacy protection required by the CCPA/CPRA, cooperate with Customer in responding to verifiable consumer requests as required by law, flow down the applicable restrictions in this Section 5 to any Subprocessor that processes Customer Personal Data, notify Customer if it can no longer meet these obligations, and allow Customer to take reasonable and appropriate steps to help ensure and remediate compliance. Pono certifies that it understands the restrictions in this Section 5 and will comply with them.
6. General
This DPA remains in effect for as long as Pono processes Customer Personal Data on Customer’s behalf under the Agreement. Except as expressly modified by this DPA, the Agreement remains in full force and effect. The governing law, jurisdiction, disclaimers, limitations of liability, and other applicable general terms of the Agreement apply to this DPA except to the extent prohibited by Applicable Data Protection Law. If any provision of this DPA is held unenforceable, the remaining provisions will remain in effect.
Schedule 1 – Details of Processing
Subject matter and duration. Pono processes Customer Personal Data in connection with the provision of the Services, including related hosting, support, maintenance, backup, security, and optional AI-powered features, for the duration of the Agreement and any period permitted under Section 4.6.
Nature and purpose of processing. Pono may collect, store, organize, retrieve, use, transmit, disclose, back up, secure, support, export, delete, and analyze Customer Personal Data in de-identified or aggregated form as necessary to provide the Services. This includes communications, messaging, scheduling, content delivery, forms and questionnaires, reports and analytics, payment and order-related workflows directed by Customer, troubleshooting, maintenance, abuse prevention, disaster recovery, and, where enabled by Customer, AI-powered features.
Categories of data subjects. Data subjects may include Customer’s personnel (such as administrators, coaches, staff, and contractors), Customer’s end users or clients, leads and prospects, and other individuals whose personal data Customer submits to the Services.
Categories of personal data. Customer Personal Data may include contact and identity data, profile and account data, communications and message content, workout, training, nutrition, habit, wellness, scheduling, and progress-tracking data, photos, files, forms, notes, transaction and order-related data, device and usage data, and AI-related inputs and outputs where AI-powered features are enabled.
Sensitive data. Depending on how Customer uses the Services, Customer Personal Data may include health-, fitness-, wellness-, nutrition-, or other sensitive or special-category data that Customer or Customer’s authorized users choose to submit. Pono processes such data only on Customer’s documented instructions and in accordance with this DPA and Applicable Data Protection Law.
Customer’s rights and obligations. Customer’s rights and obligations are as set out in the Agreement and this DPA.