RRally10
Sign inStart free trial

Data Processing Addendum

Last updated · Effective

This DPA supplements the Benmen Investments Pty Ltd (trading as “Rally10,” “Processor”) Terms of Service between Rally10 and the Customer (“Controller”) regarding the processing of Personal Data under Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the Australian Privacy Act 1988, and applicable state privacy laws (including CCPA/CPRA).

1. Roles

Customer acts as Controller (or Processor, if acting for a third party). Rally10 acts as Processor (or Sub-Processor). Rally10 processes Personal Data only to deliver the Service.

2. Subject matter, nature, and purpose

Rally10 processes Personal Data to provide the Service — hosting, storage, search, AI-assisted features, email delivery, and related support — as instructed by the Customer. Processing duration: for as long as the account is active, plus any deletion window agreed in the Terms.

3. Categories of data subjects and data

  • Data subjects: Customer’s employees, contractors, and users granted access to the Customer’s organization.
  • Data categories: contact information, organizational role, activity within the Service, content Customer uploads to the Service.

4. Customer instructions

Rally10 will only process Personal Data on documented instructions from the Customer, including transfers to a third country, unless required by law. If Rally10 believes an instruction breaches GDPR, we’ll notify the Customer.

5. Confidentiality

Personnel processing Personal Data are bound by confidentiality obligations and trained on data protection.

6. Security

Rally10 maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, multi-tenant isolation, vulnerability monitoring, and incident response. See the Security Overview.

7. Sub-processors

Customer consents to the following sub-processors engaged by Rally10:

  • Vercel Inc. — hosting and edge network; serverless functions pinned to Sydney region (ap-southeast-2)
  • Neon Inc. — managed Postgres database; primary instance in Sydney (AWS ap-southeast-2)
  • Clerk — authentication (USA)
  • Stripe — payment processing (USA)
  • Anthropic PBC — AI inference via the Vercel AI Gateway (USA)
  • Resend — transactional email (USA)

Rally10 will give 30 days’ notice of any new sub-processor. Customer may object in writing; if we can’t resolve the concern, Customer may terminate.

8. Data location and international transfers

Customer Personal Data is primarily stored and processed in Australia (Sydney, AWS AP-Southeast-2). Where sub-processors operate in the USA or other regions (see §7), Personal Data may be transferred from the EEA, UK, or Australia to those regions. Such transfers from the EEA/UK are governed by the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, incorporated by reference.

9. Data subject rights

Rally10 will assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) through reasonable technical and organizational measures.

10. Breach notification

Rally10 will notify the Customer without undue delay, and within 72 hours, after becoming aware of a Personal Data breach affecting Customer data.

11. Audits

Rally10 will make available, on request, information reasonably necessary to demonstrate compliance with this DPA. External audits and on-site inspections are available with 30 days’ notice, subject to reasonable cost recovery.

12. Deletion

On termination, Rally10 will delete Customer Personal Data within 30 days, unless legally required to retain.

13. Contact

privacy@rally10.com