Legal

Data Processing Addendum

Last updated: May 2026

Preamble

This Data Processing Addendum ("DPA") forms part of the agreement between Signal X Studio LLC ("Rally HQ", "Processor") and the Tournament Organizer ("Organizer", "Controller") who has accepted the Terms of Service. It applies to Rally HQ's processing of Personal Data on behalf of the Organizer in connection with the Service. It is designed to satisfy GDPR Article 28, UK GDPR Article 28, and the requirements for Service Provider contracts under CCPA / CPRA and analogous US state privacy laws.

For Personal Data the Organizer enters into Rally HQ about Participants, the Organizer is Controller and Rally HQ is Processor. For Personal Data Rally HQ collects directly about the Organizer's account (email, billing info), Rally HQ is the Controller — that processing is governed by the Privacy Policy, not this DPA.

Operating Entity: Signal X Studio LLC, an Illinois limited liability company — c/o Northwest Registered Agent Service, Inc., 2501 Chatham Rd Suite N, Springfield, IL 62704, USA

§1 Definitions

  • "Personal Data," "Controller," "Processor," "Data Subject," "Sub-processor," and "Processing" have the meanings given in GDPR Article 4.
  • "Personal Information," "Business," "Service Provider," and "Consumer" have the meanings given in CCPA / CPRA.
  • "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA/CPRA, and any US state comprehensive privacy law that applies to the Organizer.
  • "Service" has the meaning given in the Terms of Service.
  • "Participant Data" means Personal Data of Participants that the Organizer inputs into the Service.

§2 Subject Matter, Duration, Nature, Purpose (GDPR Art 28(3))

  • Subject matter: processing of Participant Data necessary to provide the Service.
  • Duration: for the duration of the Organizer's account, plus the retention periods set out in the Privacy Policy.
  • Nature and purpose: registration management, bracket/schedule generation, scoring, standings display, participant communications initiated by Organizer.
  • Types of Personal Data: names, email addresses, phone numbers (captains), team affiliations, registration consents (timestamp + IP), match scores.
  • Categories of Data Subjects: Participants (players, captains, parents/guardians of minor participants, spectators who register).
  • Controller's obligations and rights: as set out in the Terms of Service §3 (Organizer Responsibilities).

§3 Processor Obligations

Rally HQ shall:

  • Process Participant Data only on documented instructions from the Organizer (the instructions are: provide the Service as configured by Organizer + the Privacy Policy + this DPA).
  • Notify the Organizer if Rally HQ believes an instruction violates Applicable Data Protection Law.
  • Ensure persons authorized to process Participant Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures per GDPR Art 32 (HTTPS/TLS in transit, encryption at rest, access controls, regular security review, breach response process).
  • Assist the Organizer in responding to Data Subject requests.
  • Assist the Organizer in fulfilling Art 32–36 obligations (security, breach notification, DPIA, prior consultation).
  • Make available all information necessary to demonstrate compliance and allow for audits (with reasonable notice, no more than once per year except in case of a security incident, at Organizer's cost).
  • At end of services, delete or return all Participant Data, except as required for legal compliance.

§4 Sub-Processors

Rally HQ uses sub-processors listed at rallyhq.app/sub-processors. By accepting this DPA, the Organizer provides general written authorization for Rally HQ to engage sub-processors. Rally HQ will notify Organizers at least 30 days before adding or replacing a sub-processor; the Organizer may object on reasonable grounds within that period.

Objection mechanism: Email legal@rallyhq.app. Material objections may result in suspension or termination if no reasonable accommodation is possible.

Rally HQ remains liable for sub-processor acts and omissions and imposes equivalent data protection obligations on each sub-processor.

§5 Security Incidents

Rally HQ will notify the Organizer without undue delay after becoming aware of a Personal Data Breach affecting Participant Data, and in any event within 72 hours where required by GDPR Art 33. The notice will include:

  • the nature of the breach;
  • categories and approximate number of Data Subjects affected;
  • likely consequences; and
  • measures taken or proposed.

§6 International Transfers

For transfers from the EEA, UK, or Switzerland to the United States, the EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and form part of this DPA, with the following selections:

  • Clause 7 (Docking): applicable.
  • Clause 9(a) (Sub-processor authorization): Option 2 — General Written Authorization with 30-day notice per §4 above.
  • Clause 11 (Redress): independent dispute resolution body: JAMS (or as otherwise designated by mutual agreement at the time an EU customer relationship is established). Rally HQ does not currently target or process EU/UK/Swiss resident data; this designation is dormant until EU expansion.
  • Clause 17 (Governing law): Ireland.
  • Clause 18 (Forum): Ireland.

For UK transfers, the UK International Data Transfer Addendum is incorporated by reference.

§7 CCPA / CPRA Service Provider Provisions

Where Rally HQ processes Personal Information of California residents on behalf of an Organizer that is a Business under CCPA:

  • Rally HQ is a Service Provider as defined in CCPA §1798.140(ag).
  • Rally HQ will not Sell or Share (as defined in CPRA) Personal Information received from the Business.
  • Rally HQ will not retain, use, or disclose Personal Information for any purpose other than the specific purpose of performing the Service, or as otherwise permitted by CCPA §1798.140(ag)(1)(C).
  • Rally HQ will not combine Personal Information received from the Business with Personal Information received from or on behalf of any other person, or collected from its own interactions with Consumers, except as permitted by CCPA Regulations §7050(b).
  • Rally HQ will notify the Business if it determines it can no longer meet its obligations under CCPA.
  • The Business may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

§8 Data Subject Requests

If Rally HQ receives a request from a Data Subject or Consumer directly, Rally HQ will:

  • promptly forward the request to the Organizer;
  • not respond to the request directly except to confirm receipt and advise the Data Subject to contact the Organizer; and
  • assist the Organizer in fulfilling its obligations to respond.

§9 Liability and Term

  • Liability under this DPA is subject to the Limitation of Liability in the Terms of Service.
  • This DPA enters into force upon Organizer's acceptance of the Terms of Service and continues for the duration of the account.

§10 Conflict

In the event of conflict between this DPA and the Terms of Service or Privacy Policy, this DPA controls with respect to processing of Participant Data on behalf of the Organizer.

§11 Governing Law

This DPA is governed by the laws of the State of Illinois (consistent with the Terms of Service), except that GDPR-related provisions are interpreted in accordance with EU law and CCPA-related provisions in accordance with California law.

§12 Acceptance

By creating an Organizer account and accepting the Terms of Service, the Organizer accepts this DPA. A signed copy is available on request to legal@rallyhq.app for procurement/audit purposes.