Data processing addendum

This Data Processing Addendum (“DPA”) is entered into between RivalScope(“Processor,” “we,” “us”) and the customer named on the signature page below (“Controller,” “you”). It supplements the Terms of Service between you and us (the “Agreement”) and applies to our processing of Personal Data on your behalf in connection with your use of the Service.

If there is a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

Applicable Data Protection Law means the EU GDPR, the UK GDPR, the Swiss FADP, the CCPA / CPRA, and any other applicable data protection or privacy law.

Personal Data, Controller, Processor, Sub-processor, and Process(ing) have the meanings given in the Applicable Data Protection Law.

Customer Personal Data means Personal Data we Process on your behalf under the Agreement.

Standard Contractual Clauses or SCCs means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914, with Module Two (controller-to-processor) and Module Three (processor-to-processor) selected as applicable.

You are the Controller of Customer Personal Data. We are the Processor. We will Process Customer Personal Data only to provide the Service to you and otherwise in accordance with your documented instructions, including those set out in the Agreement and this DPA.

Subject matter: the provision of the Service. Duration: the term of the Agreement plus any post-termination retention required by section 11. Nature and purpose: see Annex 1.

See Annex 1 for the categories of Personal Data and Data Subjects.

You will:

• provide all required notices and obtain all required consents to enable us to lawfully Process Customer Personal Data;
• ensure your instructions and your use of the Service comply with Applicable Data Protection Law;
• be responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which you acquired it;
• not submit special category data, payment card numbers outside Stripe-hosted fields, government identifiers, or children's data through the Service.

We will:

• Process Customer Personal Data only on your documented instructions, except as required by law (in which case we will inform you unless prohibited);
• ensure that personnel authorised to Process Customer Personal Data are bound by confidentiality;
• implement and maintain the technical and organisational measures set out in Annex 3;
• assist you, taking into account the nature of the Processing, in responding to requests from Data Subjects and in meeting your obligations under Articles 32 to 36 of the GDPR;
• at your choice, return or delete Customer Personal Data at the end of the Service in accordance with section 11;
• make available to you the information necessary to demonstrate compliance with Article 28 of the GDPR.

You provide a general authorisation for us to engage Sub-processors. Our current Sub-processors are listed at /privacy#subprocessors. We will:

• impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA;
• remain liable for each Sub-processor's acts and omissions to the same extent we would be if we performed the Processing ourselves;
• notify you at least thirty (30) days before adding or replacing a Sub-processor, by email to your account owner and by updating the page above. You may object on reasonable data-protection grounds during that period; if we cannot resolve your objection, you may terminate the affected Service for convenience and receive a pro-rata refund of pre-paid fees.

Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the transfer is governed by:

• the EU SCCs (Module Two, controller-to-processor; Module Three, processor-to-processor where applicable), incorporated by reference into this DPA, with Clause 7 (the docking clause) included, the option in Clause 9(a) selected (general written authorisation, 30 days' notice), Clause 11(a) without the optional language, Clause 17 Option 1 governed by the law of Ireland, and Clause 18(b) jurisdiction in the courts of Ireland;
• for transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs (version B1.0 issued by the ICO), incorporated by reference, with Tables 1, 2, and 3 completed using the information in the SCCs and the parties named on the signature page;
• for transfers from Switzerland, the EU SCCs as amended by Swiss FADP guidance from the Federal Data Protection and Information Commissioner: references to the GDPR are read to include the FADP, references to EU Member States include Switzerland, and the supervisory authority is the FDPIC.

The signature page below also serves as the signature page for the SCCs and the UK Addendum.

We will notify you of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within seventy-two (72) hours of becoming aware of it, with the information available to us at the time and updates as the investigation progresses.

Taking into account the nature of the Processing, we will provide reasonable assistance, by appropriate technical and organisational measures, to help you respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law and to comply with your obligations to engage with supervisory authorities.

On termination or expiry of the Service, we will, at your written request received within thirty (30) days of termination, return or delete Customer Personal Data. After that period we will delete Customer Personal Data within ninety (90) days, except where retention is required by law (e.g. invoices for tax purposes) or in encrypted backups, which are rotated out within ninety (90) further days.

We will make available to you the information necessary to demonstrate compliance with Article 28 of the GDPR and contribute to audits, including inspections, conducted by you or another auditor mandated by you, in each case subject to reasonable confidentiality undertakings, no more than once per twelve-month period (except where required following a Personal Data Breach or by a competent supervisory authority), at your cost, and on at least thirty (30) days' written notice. We may discharge this obligation by providing copies of relevant third-party certifications and audit reports.

For Customer Personal Data subject to the CCPA / CPRA, we are a Service Provider and you are a Business as those terms are defined. We will not (i) sell or share Customer Personal Data, (ii) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement and this DPA, or (iii) combine it with personal information from any other source except as permitted by §7050(b) of the CCPA Regulations. We certify that we understand and will comply with these restrictions.

Each party's liability under this DPA, including under the SCCs and the UK Addendum, is subject to the limitations and exclusions of liability set out in the Agreement.

In the event of a conflict between (a) the Agreement, (b) this DPA, and (c) the SCCs / UK Addendum, the order of precedence is: SCCs / UK Addendum (for transfers they govern), then this DPA, then the Agreement.

This DPA will remain in force as long as we Process Customer Personal Data on your behalf.

This DPA is governed by the law of the State of Delaware, United States, except where Applicable Data Protection Law mandates otherwise (including section 8 above).

There are two ways to put this DPA in force:

• Download the PDF. The pre-signed PDF already contains our signature. Fill in the Customer signature block on the last page, sign, and email a counter-signed copy to legal@competitorintelligence.co. The DPA takes effect on the date of the later signature.
• Embedded e-sign. If you need a DocuSign or similar flow, or you need Customer-specific changes, write to the same address and we will route it through our e-sign provider.

• Subject matter. Provision of the competitor monitoring software-as-a-service.
• Nature and purpose. Hosting and operating workspaces; storing competitor lists, alert preferences, and integration credentials; sending digests and alerts; routing in-app AI chat prompts to inference subprocessors; processing payment metadata via Stripe.
• Duration. The term of the Agreement plus the retention windows in section 11.
• Categories of Data Subjects.(i) the Customer's authorised users (typically employees and contractors); (ii) recipients the Customer adds to digests and webhooks; (iii) individuals whose contact details the Customer chooses to enter into chat or workspace fields.
• Categories of Personal Data. Name, business email address, hashed authentication credential, workspace metadata (workspace name, time zone, plan), workspace configuration (competitor domains, alert preferences, connected integration endpoints such as Slack workspace IDs or webhook URLs), product usage logs (page views, API request metadata), email-delivery telemetry (delivered / bounced / complained), Stripe customer ID and invoice history, support email correspondence.
• Sensitive data. None Processed by design. Customer is responsible for not submitting special category data per section 5.
• Frequency. Continuous for the term of the Service.

The current list of authorised Sub-processors is published at /privacy#subprocessors and is reviewed each time we add or replace a Sub-processor. We will give thirty (30) days' notice of changes per section 7.

• Encryption in transit using TLS 1.2 or higher.
• Encryption at rest for the primary database and object storage.
• Authentication tokens stored as one-way hashes; passwords hashed with a current industry-standard KDF.
• Role-based access controls; production access limited to the small operations team; access events are logged.
• Network isolation between production and non-production environments; no shared databases.
• Daily encrypted backups with point-in-time recovery, tested at least annually.
• Vulnerability management: dependency audit on each release; secrets scanning; static application security testing.
• Personnel undergo background checks where permitted by law and sign confidentiality agreements as a condition of employment.
• Security incident response runbook with on-call rotation; Personal Data Breach notification per section 9.
• Sub-processors are selected, in part, on the basis of their published security and privacy posture; see Annex 2.

• Modules. Two (controller-to-processor) and Three (processor-to-processor) as applicable.
• Clause 7 (docking). Included.
• Clause 9 (sub-processors).Option 2 (general authorisation) with thirty (30) days' notice.
• Clause 11 (redress). The optional language is not included.
• Clause 17 (governing law). Option 1; the law of Ireland.
• Clause 18 (forum and jurisdiction). The courts of Ireland.
• Annex I.A. List of parties. See signature page.
• Annex I.B. Description of transfer. See Annex 1 above.
• Annex I.C. Competent supervisory authority. The supervisory authority of the EEA Member State where the Customer is established, or, where the Customer is not established in the EEA, the Irish Data Protection Commission.
• Annex II. Technical and organisational measures. Annex 3 above.
• Annex III. List of sub-processors. Annex 2 above.

Signing this DPA also signs the SCCs and UK Addendum incorporated by reference in section 8.

Need a redline or an embedded e-sign flow? Email legal@competitorintelligence.co and a real person will reply.