This Rally Here Data Processing Addendum (“DPA”) forms an integral part of the Rally Here License and Services Agreement (the “Agreement”) entered into by between Rally Here Interactive, Inc. (“Rally Here”) and the counterparty identified therein (“Company”).
1. Definitions. For purposes of this DPA, the following terms will have the meanings set forth below. Capitalized terms used but not otherwise defined in this DPA will have the meaning given to them in the Agreement.
1.1. Company Personal Data means any Personal Data received by Rally Here or a Subprocessor on behalf of Company in connection with the Agreement, or any Personal Data created or otherwise Processed by Rally Here or Subprocessor pursuant to the Agreement that is governed by Data Protection Laws.
1.2. Data Protection Laws means any and all laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, in any relevant jurisdiction, each as amended, replaced or superseded from time to time.
1.3.“Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.4.“Deidentified Information” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.
1.5.“Personal Data Breach” means (a) the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Company Personal Data transmitted, stored or otherwise Processed by Rally Here or any Subprocessor.
1.6.“Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
1.7.“Processor” means any person or entity which Processes Company Personal Data, including as applicable any “service provider” or “contractor” as those terms are defined by applicable Data Protection Laws.
1.8.“Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Data Protection Laws.
1.9. “Services” means the products and services Rally Here is providing to Company under the Agreement.
1.10.“Subprocessor” means any Processor (including any third party and any Rally Here Affiliate) appointed by or on behalf of Rally Here who may Process Company Personal Data.
2. Processing of Personal Data
2.1. Subject to Rally Here’s compliance with this DPA, Company agrees to make Company Personal Data available to Rally Here for the limited and specified purpose of providing the Services as contemplated by the Agreement. The subject-matter and details of Rally Here’s Processing (including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects) are set forth in Attachment 1 attached to this DPA.
2.2. Rally Here acknowledges and agrees that, with regard to the Processing of Company Personal Data, Rally Here is acting as a Processor. Rally Here further certifies that Rally Here (a) understands the obligations and restrictions imposed on it by applicable Data Protection Laws in its role as a Processor; (b) will comply with all such obligations, including providing the same level of privacy protection as required by applicable Data Protection Laws; and © will notify Company if Rally Here determines it can no longer meet its obligations under applicable Data Protection Laws. Company reserves the right to take reasonable and appropriate steps to help ensure that Rally Here Processes Company Personal Data in a manner consistent with Company’s obligations under Data Protection Laws, including without limitation, the right upon notice to stop and remediate any unauthorized Processing of Company Personal Data.
2.3. Rally Here will only Process Company Personal Data on behalf of Company (a) to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under the Agreement; and (b) in accordance with the terms of the Agreement and this DPA, which together constitute Company’s instructions. The restrictions set forth in this section shall not restrict Rally Here’s ability to Process Company Personal Data where required to do so by applicable laws to which Rally Here is subject; provided, however, Rally Here shall promptly notify Company of such legal requirement before Processing, unless such law prohibits such notification. Rally Here will immediately inform Company if, in Rally Here’s opinion, a Processing instruction violates applicable Data Protection Laws.
2.4. Without limiting Rally Here’s obligations under Section 2.3, Rally Here will not:
2.4.1. retain, use, or disclose Company Personal Data for any purpose other than to perform its obligations under the Agreement, which for the avoidance of doubt prohibits Rally Here from retaining, using, or disclosing Company Personal Data outside of the direct business relationship with Company or for any other purpose;
2.4.2. “sell” or “share” (as those terms are defined by applicable Data Protection Laws) Company Personal Data; or
2.4.3. combine Company Personal Data with Personal Data Rally Here receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(a)(10).
2.5. If Rally Here receives Deidentified Information from Company, or creates Deidentified Information at Customers instruction, Rally Here will (a) take reasonable measures to ensure the Deidentified Information cannot be associated with a Data Subject or household, (b) publicly commit to maintain and use the Deidentified Information in deidentified form, and © not attempt to reidentify the Deidentified Information except for the sole purpose of determining whether the Rally Here’s deidentification processes satisfy the requirements of applicable Data Protection Laws.
3. Rally Here Personnel. Rally Here will take reasonable steps to ensure that access to Company Personal Data is limited to those of its affiliates, employees, agents, and subcontractors who (a) have a need to know or otherwise access Company Personal Data to enable Rally Here to perform its obligations under the Agreement and this DPA, and (b) who are bound by confidentiality obligations sufficient to protect the confidentiality of Company Personal Data consistent with the terms of this DPA.
4. Security. Rally Here will implement and maintain appropriate technical and organizational safeguards to protect Company Personal Data that are no less rigorous than accepted industry standards for information security and will ensure that all such safeguards comply with applicable Data Protection Laws. Such safeguards are further specified in Attachment 2 attached to this DPA. In assessing the appropriate level of security, Rally Here will take into account the risks that are presented by Processing, in particular from accidental, unauthorized, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Company Personal Data transmitted, stored, or otherwise Processed.
5.Personal Data Breach
6. Subprocessors
6.1. Company hereby authorizes those Subprocessors listed in Section 7 of Attachment 1 to this DPA. Rally Here shall provide at least thirty (30) days’ notice of any subsequent changes to the list of pre-approved Subprocessors. Company shall have ten (10) days after receipt of such notice to object in writing to a new Subprocessor. In the event Company objects to a new Subprocessor based on data protection concerns, as permitted in the preceding sentence, Rally Here will use reasonable efforts to make available to Company a change in the Services or recommend a commercially reasonable change to Company ’s use of the Services to avoid Processing of Personal Data by the objected-to new Subprocessor. If is unable to make available such changes within a reasonable amount of time, which shall not exceed sixty (60) days, Company may terminate the affected Services by providing not less than ninety (90) days’ written notice to Rally Here.
6.2. With respect to any authorized Subprocessor, Rally Here will:
6.2.1. enter into a written agreement with each Subprocessor containing data protection obligations consistent with those imposed on Rally Here under this DPA and applicable Data Protection Laws with respect to Company Personal Data; and
6.2.2. remain fully liable to Company for its Subprocessors’ breach of this DPA.
7. Data Subject Rights
7.1. Rally Here will promptly notify Company if it receives a request from a Data Subject regarding Company Personal Data, including a request by a Data Subject to exercise a right under Data Protection Laws.
7.2. Rally Here will assist Company in fulfilling Company’s obligations to respond to such requests, including at minimum, maintaining the ability to access, modify, remove from Processing, or irrevocably delete or destroy the Personal Data of an individual Data Subject when requested by Company.
8. Deletion or Return of Company Personal Data
8.1. At any time during the term of the Agreement at Company’s request, or upon the termination or expiration of the Agreement for any reason, Rally Here will, and will instruct all Subprocessors to, promptly (a) return to Company all copies of Company Personal Data in its possession, or the possession of such Subprocessor, or (b) delete and procure the deletion of all other copies of Company Personal Data Processed by Rally Here or any Subprocessor. Rally Here will comply with all reasonable directions provided by Company with respect to the return or deletion of Company Personal Data.
8.2. Notwithstanding Section 8.1 above, Rally Here may retain Company Personal Data if required by applicable law, but only to the extent and for such period as required by such legal requirement. Rally Here will notify Company in writing if it believes that such a legal requirement exists. If required by law to retain Company Personal Data, Rally Here will continue to ensure the security and confidentiality of such Company Personal Data and only Process such Company Personal Data as necessary for the purpose specified in the applicable law requiring such storage.
9.Compliance and Audits
9.1. Upon Company’s request, and at Company’s expense, Rally Here will provide such assistance as Company reasonably requires in ensuring compliance with Company’s obligations under applicable Data Protection Laws, including but not limited to any data protection impact assessments and any prior consultations with any Regulator where required.
9.2. In addition to any audit rights Company may have under the Agreement, Rally Here will make available to Company all information necessary to demonstrate Rally Here’s compliance with this DPA, as well as any applicable Data Protection Laws, and will allow for and contribute to audits, including inspections, by Company, or a third-party auditor mandated by Company, in order to assess Rally Here’s compliance, provided always that:
9.2.1. Company notifies Rally Here in writing with reasonable notice (not less than 30 working days) that such request for information, audit and/or inspection is required by Company ;
9.2.2. parties mutually agree the scope of any such audit;
9.2.3. Company ensures that all information received or generated by the Company t or its auditor(s) in connection with the requests for information, inspections and audits is kept strictly confidential (except for disclosure to Regulator or as otherwise required under the Data Protection Laws);
9.2.4. Company ensures that the audit or inspection takes place during normal business hours and causes as little disruption as possible to the business operations of Rally Here and the business operations of the Sub-processors, and provided that no more than one such audit or inspection shall be conducted in any 12-month period, unless required by a Regulator; and
9.2.5. Company bears the cost and expense of any audit or inspection.
10. International Data Transfers.
10.1. IF THE PARTIES DO NOT ANTICIPATE RESTRICTED CROSS-BORDER TRANSFERS: Rally Here will not transfer (nor permit to be transferred) Company Personal Data from a jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards be imposed without Company’s prior written consent. Insofar as the Agreement involves the transfer of Company Personal Data from a jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Service Provider agrees to cooperate with Company to take appropriate steps to comply with applicable Data Protection.
10.2. IF THE PARTIES ANTICIPATE TRANSFERS OUTSIDE OF THE EEA: If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from the European Economic Area (“EEA”) to a jurisdiction outside of the EEA where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the European Commission, the parties agree that such transfer(s) will be carried out in accordance with and subject to the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) as set out in Attachment 3 attached to this DPA. To the extent there is any conflict between this DPA and the EU SCCs, the terms of the EU SCCs will prevail.
10.3. IF THE PARTIES ANTICIPATE TRANSFERS OUTSIDE OF THE UK: If the Processing (including storage) of Company Personal Data involves the transfer of Company Personal Data from the United Kingdom (“UK”) to a jurisdiction outside of the UK where the transfer would be prohibited by Data Protection Laws in the absence of standard contractual clauses or another adequate transfer mechanism as approved by the UK Information Commissioners Office (“ICO”), the Parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (“UK IDTA”) as set out in Attachment 4 attached to this DPA. To the extent there is any conflict between this DPA and the UK IDTA, the terms of the UK IDTA will prevail.
10.4. Insofar as the Agreement involves the transfer of Company Personal Data from any other jurisdiction where applicable Data Protection Laws requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Rally Here agrees to cooperate with Company to take appropriate steps to comply with applicable Data Protection Laws.
11. General Terms. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible; (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. Rally Here reserves the right to propose changes to this DPA from time to time. Such changes shall become effective upon 30 days’ written notice to Company. This DPA and the other portions of the Agreement will be read together and construed, to the extent possible, to be in concert with each other. In the event of any conflict between the Agreement and this DPA, this DPA will govern with respect to the subject matter of this DPA.
List of Attachments:
Attachment 1: Details of Processing
Attachment 2: Description of Technical and Organizational Security Measures
Attachment 3: EU SCCs
Attachment 4: UK IDTA
Details of Processing
1.Subject Matter of Processing
The subject-matter of Processing of Company Personal Data by Rally Here is the performance of the Services pursuant to the Agreement.
2.Nature and Purpose of Processing
Company Personal Data will be Processed as necessary to perform the Services pursuant to the Agreement and will be subject to the following basic Processing activities (please specify):
Receiving data, including collection, accessing, retrieval, recording, and data entry
Holding data, including storage, organization and structuring
Using data, including analyzing, consultation, testing
Updating data, including correcting, adaptation, alteration, alignment and combination
Protecting data, including restricting, encrypting, and security testing
Sharing data, including disclosure, dissemination, allowing access or otherwise making available
Erasing data, including destruction and deletion
3. Duration of Processing
Subject to Section 8 of the DPA, Rally Here will Process Company Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
4. Categories of Data Subjects
The Personal Data Processed concern the following categories of Data Subjects:
Company employees
End-users/players
5. Types of Personal Data
The Processing will involve the following types of Personal Data:
Company employees:
Name and email address
End-users/players:
Platform User ID
Player ID
Email address
IP address
6.List of Subprocessors
The following table sets out the list of Subprocessors that Company has specifically authorized as of the Effective Date.
Entity Name
Description of Service/Processing Activity
Description of Technical and Organizational Security Measures
Rally Here will implement and maintain appropriate technical and organizational measures to meet its obligations under applicable Data Protection Laws. For example, Rally Here will:
inform all employees that Company Personal Data is confidential and subject to contractual and legal protections;
instruct employees to access or display Company Personal Data only in secure locations;
require that all devices used to store or transfer Company Personal Data are encrypted and subject to a strong password policy that requires a password at initial startup and upon waking from sleep;
require multi-factor authorization and other account protection as available;
prohibit employees from using portable drives to hold Company Personal Data;
protect servers behind a firewall and perform vulnerability tests at least biweekly, remediating every 30 days;
use reasonable technical and organizational measures to ensure that Company Personal Data is (i) encrypted when in transit and at rest in a manner designed to prevent access by third parties without appropriate credentials (including government agencies); and (ii) anonymized or pseudonymized where appropriate in light of the purposes of the relevant Processing activities; and
only transfer Company Personal Data using unique and randomly generated links for sharing files, which automatically expire at a maximum of 10 days.
Standard Contractual Clauses - Controller to Processor
The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The Parties agree that the following terms apply:
1. Clause 7: The Parties have chosen to include Clause 7.
2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 11(a): The Parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
4. Clause 13(a): [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
5. Clause 17: [OPTION 1]: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of (specify Member State).
[OPTION 2]: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of (specify Member State).
6. Clause 18(b): The Parties agree that those shall be the courts of [specify Member State].
A. LIST OF PARTIES
Data exporter(s):
Data importer(s):
B. DESCRIPTION OF TRANSFER
Refer to Attachment 1 of this DPA.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
A description of the technical and organisational measures implemented by the data importer(s) is set forth in Attachment 2 of the DPA.
UK International Data Transfer Agreement
Part 1: Tables
Table 1: Parties and signatures
Start date: The Effective Date of the Agreement
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
|---|---|---|
| Parties’ Details | Rally Here Interactive, Inc. | |
| Key Contact | Refer to Signatories of the Agreement | Refer to Signatories of the Agreement |
| Importer Data Subject Contact | Refer to Signatories of the Agreement | Refer to Signatories of the Agreement |
| Signatures confirming each Party agrees to be bound by this IDTA | Refer to Signatories of the Agreement | Refer to Signatories of the Agreement |
Table 2: Transfer Details
| - | - |
|---|---|
| UK country’s law that governs the IDTA: | England and Wales |
| Primary place for legal claims to be made by the Parties | England and Wales |
| England and Wales | |
| The status of the Exporter | In relation to the Processing of the Transferred Data: Exporter is a Controller |
| The status of the Importer | Importer is the Exporter’s Processor or Sub-Processor |
| Whether UK GDPR applies to the Importer | UK GDPR does not apply to the Importer’s Processing of the Transferred Data |
| Linked Agreement | If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the Parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data: Name of agreement: Data Processing Addendum (the “DPA”) Date of agreement: The Effective Date of the Agreement: Parties to the agreement: Refer to Signatories of the Agreement, Reference (if any): None. |
| Term | The Importer may Process the Transferred Data for the following time period: the period for which the Linked Agreement is in force |
| Ending the IDTA before the end of the Term | the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing. |
| Ending the IDTA when the Approved IDTA changes | Which Parties may end the IDTA as set out in Section 29.2: neither Party |
| Can the Importer make further transfers of the Transferred Data? | The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data). |
| Specific restrictions when the Importer may transfer on the Transferred Data | there are no specific restrictions. |
| Review Dates | each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment, to the extent that Importer is made aware of such changes; Importer will conduct a review at the time of contract renewal |
Table 3: Transferred Data
| - | - |
|---|---|
| Transferred Data | The personal data to be sent to the Importer under this IDTA consists of that data outlined in Attachment 1 of the DPA. The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to. |
| Special Categories of Personal Data and criminal convictions and offences | The Transferred Data includes data relating to that data outlined in Attachment 1 of the DPA. The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to. |
| Relevant Data Subjects | The Data Subjects of the Transferred Data are those data subjects outlined in Attachment 1 of the DPA. The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to. |
| Purpose | The Importer may Process the Transferred Data for the purposes set out in the DPA. The purposes will update automatically if the information is updated in the Linked Agreement referred to. |
Table 4: Security Requirements
| - | - |
|---|---|
| Security of Transmission | As set out in Attachment 2 of the DPA. |
| Security of Storage | As set out in Attachment 2 of the DPA. |
| Security of Processing | As set out in Attachment 2 of the DPA. |
| Organisational security measures | As set out in Attachment 2 of the DPA. |
| Technical security minimum requirements | As set out in Attachment 2 of the DPA. |
| Updates to the Security Requirements | The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to. |
Part 2: Extra Protection Clauses
N/A
Part 3: Commercial Clauses
N/A
Part 4: Mandatory Clauses
Mandatory Clauses
Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.