Cloudathlete’s Commitment to Data Security – and Your Right to Own and Move Your Data

Cloudathlete exists to help sports organisations run brilliantly without ever losing control of their information. That means two non-negotiables:

1. we secure your data to a high, auditable standard, and
2. you, not your vendor, own and control that data—during the contract and when it ends.

Below is our approach, followed by an industry perspective on what counts as best practice versus anti-competitive or restrictive behaviour.

Our Security Principles

1) Privacy & Governance by Design

• Controller/Processor clarity: Clients (e.g., NGBs, clubs, leagues) are the Data Controller; Cloudathlete is the Data Processor under UK GDPR/DPA 2018 (or the relevant local law).
• Data Protection Impact Assessments (DPIAs): Built into onboarding and major changes.
• Minimisation & purpose limitation: We only process what’s necessary to deliver agreed services.

2) Modern Security Architecture

• Encryption: TLS 1.2+ in transit; strong encryption at rest; keys stored and rotated under strict access controls.
• Zero-trust access: Role-based access control (RBAC), least-privilege, and MFA for admins; optional SSO (SAML/OIDC).
• Environment isolation: Segregated production networks, secrets management, hardened CI/CD.
• Auditability: Immutable audit logs for admin actions, data exports, and permission changes.

3) Resilience & Operational Assurance

• Backups & disaster recovery: Point-in-time backups, tested restores, RPO/RTO targets documented in the SLA.
• Vulnerability management: Regular patching, dependency scanning, and scheduled third-party penetration tests.
• Incident response: 24/7 on-call escalation, forensics playbooks, regulatory breach notifications per statutory timelines.
• Supplier oversight: Sub-processor due diligence, published list of sub-processors, and advance notice of changes.

4) Transparency & Control for Clients

• Data ownership charter (summary):
  • You own your data and derived content you’ve funded.
  • You can export data (standard formats) anytime.
  • You can integrate via documented APIs, subject to security/rate limits that are reasonable and non-discriminatory.
  • On termination, you receive a complete, verified export and we securely delete residual data per your instruction and legal obligations.

• Portability tooling: Bulk export endpoints, webhook/event streams, and schema documentation to reduce switching costs.

Interoperability & APIs

Cloudathlete is built to plug-in, not lock-in:

• Open, well-documented APIs for membership, events, rankings, payments, comms, and finance connectors.
• Standards first: SSO (SAML/OIDC), eventing via webhooks, and finance integrations (e.g., Xero, Sage, Business Central) through stable patterns and mapping layers.
• Fair use & performance: Transparent rate limits sized to typical workloads; elevated tiers where objectively needed, not as a barrier to integration.

What Good Looks Like (Industry Best Practices)

Data Ownership & Access

• Contracts state explicitly: the client owns all first-party data (including member records, transaction metadata, rankings, media you upload).
• APIs and exports available throughout the contract—not only at exit.
• No “IP creep”: Vendors do not claim IP over client data or derived data that substitutes for the original dataset.

Openness & Non-Discrimination

• Right to integrate: Controller may authorise third parties (e.g., league apps, analytics partners) to access their data securely.
• Reasonable SLAs and rate limits: Technical controls never become commercial weapons.
• Transparent fees: Cost-recovery is fine; punitive or obstructive pricing for API access is not.

Security & Compliance

• Documented security controls (encryption, RBAC, logging, DR).
• Independent testing and remediation timelines for findings.
• Named sub-processors with change notifications and exit rights if material risk is introduced.

Exit & Portability

• Clear exit plan: Timetabled export, checksums/validation, and knowledge-transfer support.
• Multiple formats: CSV/JSON and, where appropriate, SQL dumps or object storage snapshots.
• Deletion certificates post-exit, aligned to statutory retention and your instructions.

Red Flags: Anti-Competitive or Restrictive Practices

These clauses and behaviours harm customers and the wider ecosystem. We oppose them.

1. “No Third-Party Access” blanket prohibitions
   • Language that bars the Controller from authorising partners to read/write via API—even when secure—is anti-competitive and undermines portability.

2. Data Hostage Tactics
   • Withholding exports until final day of service; delaying schema docs; or providing only partial/incomplete dumps.
   • “Exit fees” that are disproportionate to the effort involved.

3. API as a Gatekeeping Tool
   • Unpublished, unstable, or selectively throttled APIs; charging punitive “integration fees” without genuine cost basis; per-partner vetoes absent clear security grounds.

4. IP Overreach
   • Vendor claims ownership over client data or “aggregations” that are practically a substitute for the underlying dataset, limiting the client’s ability to compete or switch.

5. Change-of-Control Traps
   • Clauses allowing a vendor to unilaterally restrict integrations or hike fees on merger/strategy changes by the client or their partners.

6. Unreasonable Confidentiality Gags
   • Preventing customers from sharing performance/security information necessary to run their programmes or migrate providers.

7. Pre-Cutover Lockouts
   • Demanding integration shutdowns or third-party bans before a new platform is ready, causing unnecessary operational disruption.

How Cloudathlete Contracts Reflect These Values

• Plain-English Data Ownership Clause: “You are the Data Controller; you own your data. Cloudathlete processes it on your instructions.”
• Standing Export Right: Self-service exports (CSV/JSON) plus scheduled automated exports for downstream systems.
• Integration-Friendly: You may authorise third parties to integrate, subject only to objective security and capacity constraints.
• Fair API Terms: Published docs, stable versioning, reasonable rate limits, and non-discriminatory access for authorised parties.
• Exit-Ready: We maintain an exit runbook (datasets, formats, timelines), provide a named coordinator, and issue deletion certificates.
• Security & Audit: Documented controls, pen-test cadence, incident SLAs, sub-processor transparency, and optional ISO 27001 alignment roadmap.

A Buyer’s Checklist (Keep It Handy)

• ❑ Contract states you own the data; vendor is Processor.

• ❑ APIs & exports available at all times; formats and schemas documented.

• ❑ Right to authorise third-party access (with reasonable security terms).

• ❑ Exit plan and timelines are written; fees (if any) are proportionate and capped.

• ❑ Security controls (encryption, RBAC, logging, DR) are described and testable.

• ❑ Sub-processors listed with change-notification rights.

• ❑ No “no-third-party,” gag, or IP-overreach clauses.

• ❑ Incident response and breach notification obligations are explicit.

• ❑ Service credits/ remedies for material outages or missed SLAs.

• ❑ Portability tested (sample exports/integrations) before go-live.

Strong security and genuine data ownership are not trade-offs—they reinforce each other. When your platform is secure, interoperable, and exit-ready, you make better long-term decisions and avoid costly dead ends. Cloudathlete will continue to advocate for open, standards-based sport tech where vendors compete on service and value—not on who can hold your data the tightest.