RRally10
Sign inStart free trial

Data Processing Addendum

Last updated · Effective

This DPA supplements the Rally10 (“Rally10,” “Processor”) Terms of Service between Rally10 and the Customer (“Controller”) regarding the processing of Personal Data under Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and applicable state privacy laws (including CCPA/CPRA).

1. Roles

Customer acts as Controller (or Processor, if acting for a third party). Rally10 acts as Processor (or Sub-Processor). Rally10 processes Personal Data only to deliver the Service.

2. Subject matter, nature, and purpose

Rally10 processes Personal Data to provide the Service — hosting, storage, search, AI-assisted features, email delivery, and related support — as instructed by the Customer. Processing duration: for as long as the account is active, plus any deletion window agreed in the Terms.

3. Categories of data subjects and data

  • Data subjects: Customer’s employees, contractors, and users granted access to the Customer’s organization.
  • Data categories: contact information, organizational role, activity within the Service, content Customer uploads to the Service.

4. Customer instructions

Rally10 will only process Personal Data on documented instructions from the Customer, including transfers to a third country, unless required by law. If Rally10 believes an instruction breaches GDPR, we’ll notify the Customer.

5. Confidentiality

Personnel processing Personal Data are bound by confidentiality obligations and trained on data protection.

6. Security

Rally10 maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, multi-tenant isolation, vulnerability monitoring, and incident response. See the Security Overview.

7. Sub-processors

Customer consents to the following sub-processors engaged by Rally10:

  • Vercel Inc. — hosting, edge network, monitoring (USA)
  • Neon Inc. — managed Postgres database (USA/EU)
  • Clerk — authentication (USA)
  • Stripe — payment processing (USA)
  • Anthropic PBC — AI inference via AI Gateway (USA)
  • Resend — transactional email (USA)

Rally10 will give 30 days’ notice of any new sub-processor. Customer may object in writing; if we can’t resolve the concern, Customer may terminate.

8. International transfers

Transfers of Personal Data outside the EEA/UK are governed by the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, incorporated by reference.

9. Data subject rights

Rally10 will assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) through reasonable technical and organizational measures.

10. Breach notification

Rally10 will notify the Customer without undue delay, and within 72 hours, after becoming aware of a Personal Data breach affecting Customer data.

11. Audits

Rally10 will make available information to demonstrate compliance, including SOC 2 reports (when available) and penetration test summaries. On-site audits are available with 30 days’ notice subject to reasonable cost recovery.

12. Deletion

On termination, Rally10 will delete Customer Personal Data within 30 days, unless legally required to retain.

13. Contact

privacy@rally10.com