Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between RivalDesk, Inc. ("RivalDesk," "Processor," "we," or "us") and the entity identified as the customer ("Customer," "Controller," or "you") for the provision of the RivalDesk competitive intelligence platform (the "Service").

This DPA applies to the extent that RivalDesk processes Personal Data on behalf of the Customer in the course of providing the Service. This DPA is designed to ensure compliance with the requirements of applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given to them in the Terms of Service.

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by RivalDesk on behalf of the Customer in connection with the Service.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by RivalDesk to process Personal Data on behalf of the Customer.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, UK GDPR, CCPA, and any amendments or successor legislation thereto.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by RivalDesk.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.

2. Scope and Purpose

This DPA applies to all Processing of Personal Data by RivalDesk on behalf of the Customer in the course of providing the Service. The Customer acts as the Controller and RivalDesk acts as the Processor with respect to Personal Data processed under this DPA.

Purpose of Processing

RivalDesk processes Personal Data solely for the following purposes:

• Providing, maintaining, and improving the Service as described in the Terms of Service and applicable order forms.
• Managing Customer accounts, including user authentication, access control, and account administration.
• Delivering competitive intelligence reports, briefings, and notifications as configured by the Customer.
• Providing technical support and customer service in response to Customer requests.
• Ensuring the security, integrity, and availability of the Service.

Customer Instructions

RivalDesk shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Customer's instructions are set forth in this DPA, the Terms of Service, and any applicable order forms. RivalDesk shall promptly inform the Customer if, in its opinion, an instruction violates applicable Data Protection Laws.

3. Data Processing Details

Categories of Data Subjects

The Personal Data processed under this DPA may concern the following categories of Data Subjects:

• Customer employees, contractors, and authorized users of the Service.
• Customer contacts and stakeholders whose information is uploaded to the Service.
• Individuals whose publicly available information is collected as part of competitive intelligence monitoring (e.g., executives, employees, or representatives of competitor organizations).

Types of Personal Data

The Personal Data processed under this DPA may include:

• Contact information (name, email address, phone number, job title, company name).
• Account credentials and authentication data.
• Usage data and interaction logs within the Service.
• IP addresses and device information.
• Publicly available professional information collected through competitive intelligence monitoring.

Duration of Processing

RivalDesk will process Personal Data for the duration of the Customer's subscription to the Service, unless otherwise agreed in writing. Upon termination of the subscription, RivalDesk will handle Personal Data in accordance with Section 8 of this DPA.

4. Security Measures

RivalDesk shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

Technical Measures

• Encryption: All Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Role-based access controls with the principle of least privilege. Multi-factor authentication is required for all employees accessing production systems.
• Network Security: Firewalls, intrusion detection and prevention systems, and network segmentation to isolate production environments.
• Monitoring: 24/7 security monitoring, logging of all access to systems containing Personal Data, and automated alerting for suspicious activity.
• Vulnerability Management: Regular vulnerability scanning, penetration testing by independent third parties, and a responsible disclosure program.

Organizational Measures

• Personnel: Background checks for all employees with access to Personal Data. Annual security awareness training for all staff.
• Policies: Comprehensive information security policies covering data classification, acceptable use, incident response, and business continuity.
• Certifications: SOC 2 Type II certification, with annual audits conducted by an independent third-party auditor.
• Vendor Management: Due diligence and security assessments for all Sub-processors before engagement, with ongoing monitoring.

Incident Response

RivalDesk shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data. The notification shall include the nature of the Security Incident, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the incident.

5. Sub-processors

The Customer provides general authorization for RivalDesk to engage Sub-processors to assist in providing the Service, subject to the following conditions:

• RivalDesk maintains a current list of Sub-processors on its Subprocessors page, which includes the name, purpose, and location of each Sub-processor.
• RivalDesk shall notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing one, by updating the Subprocessors page and, where possible, by email notification.
• The Customer may object to the engagement of a new Sub-processor within 14 days of receiving notice. If the Customer raises a reasonable objection, RivalDesk shall work with the Customer to find a mutually acceptable solution. If no solution is found, the Customer may terminate the affected portion of the Service.
• RivalDesk shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA.
• RivalDesk remains fully liable for the acts and omissions of its Sub-processors in relation to the Processing of Personal Data.

6. Data Subject Rights

RivalDesk shall assist the Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws. These rights may include access, rectification, erasure, restriction of processing, data portability, and the right to object.

• If RivalDesk receives a request from a Data Subject directly, RivalDesk shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless otherwise instructed.
• RivalDesk shall provide the Customer with the technical and organizational means to respond to Data Subject requests through the Service's administrative features.
• Where the Customer is unable to independently address a Data Subject request through the Service, RivalDesk shall provide reasonable assistance upon request. RivalDesk may charge a reasonable fee for assistance that requires significant effort beyond the normal functionality of the Service.

RivalDesk shall also provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under applicable Data Protection Laws.

7. International Transfers

RivalDesk primarily processes Personal Data in the United States. To the extent that Personal Data is transferred from the European Economic Area ("EEA"), United Kingdom, or Switzerland to a country that does not provide an adequate level of data protection as determined by the European Commission, RivalDesk relies on the following transfer mechanisms:

Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) are incorporated into this DPA by reference. For transfers from the EEA, Module Two (Controller to Processor) applies. The details of the transfer are as specified in the annexes to this DPA.

UK International Data Transfer Addendum

For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner's Office) is incorporated into this DPA by reference.

Swiss Data Transfers

For transfers of Personal Data from Switzerland, the Standard Contractual Clauses apply with the modifications required by the Swiss Federal Data Protection Act.

Additional Safeguards

In addition to the transfer mechanisms above, RivalDesk implements the following supplementary measures to protect international data transfers:

• Encryption of Personal Data in transit and at rest as described in Section 4.
• Access controls limiting which personnel can access Personal Data based on role and necessity.
• Contractual commitments from Sub-processors regarding data protection and security.
• Regular assessment of the legal framework in recipient countries and its impact on the protection of transferred Personal Data.

8. Term and Termination

Term

This DPA shall remain in effect for as long as RivalDesk processes Personal Data on behalf of the Customer. The DPA automatically terminates when the Terms of Service or the Customer's subscription to the Service expires or is terminated.

Data Return and Deletion

Upon termination of the Service or upon the Customer's written request:

• RivalDesk shall make the Customer's Personal Data available for export in a commonly used, machine-readable format for a period of 30 days following termination.
• After the 30-day export period, RivalDesk shall delete all Personal Data in its possession or control, including copies in backup systems, within 90 days, unless retention is required by applicable law.
• Upon the Customer's request, RivalDesk shall provide written certification of the deletion of Personal Data.

Survival

The obligations under this DPA that by their nature should survive termination shall continue in effect after termination, including but not limited to confidentiality obligations, Security Incident notification requirements, and data deletion obligations.

Audits and Compliance

RivalDesk shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a qualified third-party auditor mandated by the Customer.

• The Customer shall provide at least 30 days' prior written notice of any audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with RivalDesk's operations.
• RivalDesk may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II reports), or other documentation demonstrating compliance.
• The Customer shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by RivalDesk.

Contact

For questions or requests related to this Data Processing Agreement, please contact:

RivalDesk, Inc.
Attn: Data Protection Officer
548 Market Street, Suite 42200
San Francisco, CA 94104
United States

Email: dpo@rivaldesk.com