Sub-Processors
1. Introduction
Rally HQ — operated by Signal X Studio LLC — engages a small number of third-party sub-processors to provide the Service. This page lists current sub-processors that may have access to Personal Data we process on behalf of Tournament Organizers (under GDPR Art. 28) or Personal Information we process as a Service Provider (under CCPA / CPRA).
Notice of changes. We will publish updates to this page at least 30 days before adding a new sub-processor or replacing an existing one. Organizers should review this page periodically; material changes will also be emailed to the Organizer account holder where reasonably practicable. Organizers may object on reasonable grounds within the notice period; see our Data Processing Addendum §4 for the objection mechanism.
2. Current Sub-Processors
The following sub-processors are currently engaged by Signal X Studio LLC in the operation of Rally HQ.
| Sub-processor | Service provided | Processing region | Data accessed | DPA / Compliance |
|---|---|---|---|---|
| Supabase, Inc. | PostgreSQL database hosting; Magic Link authentication; row-level security | US (default) — region configurable per project | All Service data: organizer accounts, participant rosters, tournament data, registration consents, session tokens | DPA · SOC 2 Type II · HIPAA-ready |
| Stripe, Inc. | Subscription payment processing for Organizer accounts | Global (primary US) | Organizer billing email, payment method tokens, transaction history. Rally HQ does not store cardholder data — PCI scope is SAQ-A | DPA · PCI DSS Level 1 · SOC 1 Type II · SOC 2 Type II |
| Cloudflare, Inc. | Pages hosting (production deployment); DNS; CDN | Global edge network | Application traffic, IP addresses for DDoS protection, cached static assets | DPA · SOC 2 Type II · ISO 27001 |
| PostHog Inc. | Product analytics | US (default) | Anonymized/pseudonymized usage events, page views, feature interactions, device + browser metadata. Configured to honor browser Do Not Track | DPA · SOC 2 Type II |
| Resend, Inc. | SMTP transport for transactional email (Magic Links, notifications). Engaged as the SMTP provider configured behind Supabase Auth's email service — Supabase manages the auth-and-email integration, Resend transmits the message. | US (default) | Recipient email addresses, message subject + body, delivery status | DPA · SOC 2 Type II |
Note on hosting stack. Rally HQ production is deployed on Cloudflare Pages using the SvelteKit Cloudflare adapter (per wrangler.toml). Vercel was evaluated during development and is not currently
used in production; it has been omitted from the table above. [REMOVE THIS NOTE if Vercel is reintroduced]
3. International Transfers
Rally HQ is based in the United States, and most sub-processors process Personal Data in the United States. For Personal Data originating in the European Economic Area, United Kingdom, or Switzerland, transfers are protected by:
- EU Standard Contractual Clauses (Module 2: Controller to Processor) incorporated by reference in each sub-processor's DPA
- UK International Data Transfer Addendum where applicable
- Supplementary measures as recommended by the European Data Protection Board
See our Data Processing Addendum §6 for the SCC framework.
4. Historic Sub-Processors
For transparency, we list sub-processors removed in the past 12 months. No sub-processors have been removed in the past 12 months.
5. Questions
For privacy and sub-processor questions, contact us at:
- Privacy inquiries: privacy@rallyhq.app
- Audit / procurement requests: legal@rallyhq.app