Legal & compliance

Data Processing Addendum

This addendum governs our processing of personal data on your behalf and forms part of our agreement with you.

Last updated June 2026

1. Roles

For personal data contained in Customer Data, you act as the controller (or processor on behalf of your own customers) and Rallyum acts as the processor (or sub-processor). This Data Processing Addendum (“DPA”) supplements our Terms of Service.

2. Scope and instructions

We process personal data only to provide the Service and on your documented instructions, including as configured by you in the platform, unless required to do otherwise by law.

3. Confidentiality

Personnel authorised to process personal data are bound by appropriate confidentiality obligations.

4. Security measures

We implement appropriate technical and organisational measures, including encryption in transit and at rest, secret management, role-based access control, workspace isolation, and audit logging, designed to protect personal data against unauthorised or unlawful processing and accidental loss.

5. Sub-processors

You authorise us to engage sub-processors to provide the Service. We impose data-protection obligations on each sub-processor and remain responsible for their performance. A current list is available on request, and we will give notice of intended changes so you may object.

6. International transfers

Where we transfer personal data internationally, we use an approved transfer mechanism such as the Standard Contractual Clauses.

7. Assistance

Taking into account the nature of the processing, we will provide reasonable assistance with data-subject requests, data-protection impact assessments, and consultations with supervisory authorities.

8. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data and provide information reasonably required for you to meet your notification obligations.

9. Deletion and return

On termination, we will delete or return personal data in accordance with the Terms and applicable law, subject to legal retention requirements.

10. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits in accordance with the Terms.

11. Contact

To request a signed copy of this DPA or our sub-processor list, contact contact@rallyum.com.