Skip to content
Rival

Client Data Processing and GDPR Addendum

Last updated: July 7, 2026

This Data Processing and GDPR Addendum (“DPA”) provides a set of supplemental obligations that SilkRoad Technology, Inc., d/b/a Rival (“Rival”) hereby forms part of the agreement (the “Agreement”) with each Rival client (the “Client”) who has purchased and maintains an active subscription to use Rival’s Software as a Service product (the “Hosted Services”). This DPA shall be effective on the latest date entered into the signature box below. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. In the event that Rival and Client have entered into a separate signed agreement document with regard to compliance with the Data Protection Laws (defined below), this DPA shall not apply; provided, however, that at a minimum, Rival shall in any case be bound by its obligations set forth in this DPA.

1. Definitions

Affiliate” has the meaning set forth in the Agreement.

Agreement” means the agreement between Client and Rival for the provision of the Rival Hosted Service to Client.

California Privacy Statutes” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., including as amended by the California Privacy Rights Act of 2020.

Client Data” has the meaning set forth in the Agreement.

Client Personal Data” means any Client Data that is Personal Data.

Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data under the Agreement, including, where applicable, European Data Protection Law and the California Privacy Statutes.

Data Controller” means an entity that determines the purposes and means of the processing of Personal Data, including the “controller” as defined by European Data Protection Law, and the “business” as defined by the California Privacy Statutes.

Data Processor” means an entity that processes Personal Data on behalf of a Data Controller, including the “processor” as defined by European Data Protection Law, and the “service provider” as defined by the California Privacy Statutes.

European Data Protection Law” means all laws of the European Union and its Member States, the United Kingdom, and Switzerland that apply to the Processing of Personal Data, including, where applicable, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).

“Hosted Service” has the meaning set forth in the Agreement.

Personal Data” means any information relating to an identified or identifiable natural person.

Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

Security Incident” means any unauthorized or unlawful breach of security in the Hosted Service that leads to the unauthorized disclosure of or access to Client Personal Data.

“Standard Contractual Clauses” means (i) the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”), and (ii) where required by the Data Protection Law of the United Kingdom, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK Addendum”).

Sub-processor” means any Data Processor engaged by Rival or its Affiliates to assist in fulfilling its obligations with respect to providing the Rival Hosted Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Rival’s Affiliates.

2. Scope and Applicability of this DPA

This DPA applies where and only to the extent that Rival Processes Client Personal Data on behalf of Client as Data Processor in the course of providing Hosted Service pursuant to the Agreement.

Notwithstanding expiry or termination of the Agreement, this DPA will remain in effect until, and will automatically expire upon, deletion of all Client Personal Data by Rival as described in this DPA or termination of the Agreement.

3. Roles and Scope of Processing

Role of the Parties. As between Rival and Client, Client is either the Data Controller of Client Personal Data, or in the case that Client is acting on behalf of a third-party Data Controller, then a Data Processor, and Rival shall process Client Personal Data only as a Data Processor acting on behalf of Client.

Client Processing of Personal Data. Client agrees that (i) it, and any processing instructions it issues to Rival, will comply with Data Protection Laws as applicable to Client; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Rival to process Personal Data and provide the Rival Hosted Service pursuant to the Agreement and this DPA. If Client is itself a Data Processor, Client warrants to Rival that Client’s instructions and actions with respect to that Client Personal Data, including its appointment of Rival as another Data Processor, have been authorized by the relevant Data Controller to the extent required under applicable law.

Client Instructions. Rival will process Client Personal Data only for the purposes described in this DPA and only in accordance with Client’s lawful instructions documented in this DPA, the Agreement, and via Client’s use of the Hosted Service, and in order for Rival to fulfil its obligations to provide Hosted Service under the Agreement (“Client Instructions”), unless otherwise required by applicable law. The parties agree that this DPA and the Agreement set out the Client’s complete and final instructions to Rival in relation to the processing of Client Personal Data. Additional processing outside the scope of these Client Instructions (if any) will require prior written agreement between Client and Rival.

Details of Data Processing.

Subject matter: The subject matter of the data processing under this DPA is the Client Personal Data.

Purpose: The purpose of the data processing under this DPA is the provision of the Rival Hosted Service to the Client and the performance of Rival’s obligations under the Agreement (including this DPA) or as otherwise agreed by the parties in mutually executed written form.

Duration: As between Rival and Client, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

Nature of the processing: Rival provides the Hosted Service, which may process Client Personal Data upon the instruction of the Client in accordance with the terms of this DPA, the Agreement, and Client Instructions.

Rival Processing of Client Personal Data. Rival will not: (i) retain, use, or disclose Client Personal Data or combine Client Personal Data with Personal Data from other sources, except as necessary to maintain or provide the Rival Hosted Service and its obligations under the Agreement, this DPA, or as necessary to comply with the law or binding order of a governmental body; (ii) “sell” or “share” (as such terms are defined by the California Privacy Statutes) Client Personal Data; or (iii) retain, use, or disclose Client Personal Data other than in the context of the direct relationship with Client in accordance with the Agreement.

4. Sub-processing

Authorized Sub-processors. Client agrees that Rival may engage Sub-processors to provide data centers to host Client Data and the Hosted Services application software, disaster recovery, and backup related services and to otherwise Process Personal Data on its behalf. Client hereby consents to Rival’s use to the Sub-processors currently utilized by Rival to Process Client Personal Data. Rival will provide a then-current list of the Sub-processors engaged by it on Client’s written request. Rival shall inform the Client (via an email or other electronic communication) of any intended addition of any new Sub-processor (whether to replace an existing Sub-processor or otherwise). If Client does not object to such new Sub-processor for a period of 10 days thereafter, Client shall be deemed to have consented to such new Sub-processor. If Client reasonably objects in writing within such 10-day period to Rival’s proposed use of such new Sub-processor, Rival will either (i) refrain from permitting such objected-to new Sub-processor from Processing Client Personal Data within 30 days thereafter; or (ii) notify the Client within 30 days thereafter that it is not able to refrain from using such objected-to new Sub-Processor without adversely impacting the applicable Hosted Services product (“Non-Feasibility Notice”). Upon receipt of such Non-Feasibility Notice, Client shall have the option for a period of 30 days thereafter, terminate upon written notice its subscription to use only those Hosted Services products which cannot be provided by Rival without the use of the objected-to new Sub-processor. Such termination shall be without penalty or liability (other than for fees due and owing to Rival for any services performed prior to such termination) effective immediately upon written notice of such termination to Rival.

Sub-processor Obligations. Rival will: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Client Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any breach of this DPA caused by acts or omissions of the Sub-processor to the same extent that Rival would be liable if such breach was committed by Rival.

5. Security

Security Measures. Rival shall implement and maintain appropriate technical and organizational security measures to preserve the security and confidentiality of the Client Personal Data processed by the Hosted Service.

Security Incident Response. Upon confirming a Security Incident, Rival shall: (i) notify Client without undue delay, and in any event such notification shall, where feasible, occur no later than 72 hours from Rival confirming the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client; and (iii) Rival shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Rival’s notification of or response to a Security Incident under this Section 5.2 (Security Incident Response) will not be construed as an acknowledgment by Rival of any fault or liability with respect to the Security Incident.

6. Client Responsibilities.

Client agrees that Rival has no obligation to protect Client Personal Data that Client elects to store or transfer outside of Rival’s systems (for example, offline or on-premise storage on Client’s computers).

7. International Transfers

Rival hosts Client Personal Data in the United States unless otherwise specified in the Agreement or the applicable Order Form), provided, however, that Client’s Users may access and use the Hosted Service via the Internet from any international location where they connect to the Internet, and international transfers of Client Personal Data may take place in the ordinary course of providing Support and Maintenance for the Hosted Services. In the event that Client is subject to European Data Protection Law and the transfer of Client Personal Data to Rival would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Client as the “data exporter” and Rival as the “data importer.” The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are described in this DPA. Where applicable, Part 1, tables 1, 2 and 3 of the UK Addendum will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the importer.

8. Return or Deletion of Client Data

Deletion by Client. Rival will cooperate with Client to enable deletion of Client Personal Data in accordance with the procedures set forth in 9.1 below.

Deletion on Termination. For 90 days following termination or expiration of the Agreement, Client may retrieve any remaining Client Personal Data in accordance with the Agreement. Thereafter, Client hereby instructs Rival to automatically delete all remaining Client Personal Data. Rival shall not be required to delete Client Personal Data to the extent (i) Rival is required by applicable law or order of a governmental or regulatory body to retain some or all of the Client Personal Data; and/or (ii), Client Personal Data it has archived on back-up systems, which Client Personal Data Rival shall securely isolate and protect from any further processing, except to the extent required by applicable law.

9. Cooperation

The Rival Hosted Service provides Client with a number of controls that Client may use to retrieve, correct, or delete Client Personal Data, which Client may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Client is unable to access the relevant Client Personal Data within the Rival Hosted Service using existing controls or otherwise, Rival shall offer consulting services to Client at time and materials rates to reasonably assist Client in responding to any requests from individuals or applicable data protection authorities relating to the processing of Client Personal Data under the Agreement. In the event that any request from individuals or applicable data protection authorities is made directly to Rival, Rival shall not respond to such communication directly without Client’s prior authorization, unless legally compelled to do so, and instead, after being notified by Rival, Client shall respond. If Rival is required to respond to such a request, Rival will promptly notify Client and provide it with a copy of the request unless legally prohibited from doing so.

Client acknowledges that Rival is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which Rival is acting and, where applicable, of such Data Processor’s or Data Controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Client will, where requested, provide such information to Rival.

Security Reports and Audits. Rival shall provide written responses on a confidential basis to reasonable requests for information made by Client related to its Processing of Client Personal Data related to information security and audit questionnaires necessary to confirm Rival’s compliance with this DPA and the Data Protection Laws, provided that Client shall not exercise this right more than once per year, and any such request shall not be made in a manner so as to interfere with Rival business.

In the event the Client is required to carry out data protection impact assessments under European Data Protection Law, Rival will (at Client’s request and expense) no more than once annually, provide reasonably requested information regarding the Rival Hosted Service to enable the Client to carry out such data protection impact assessments.

10. California Privacy Statutes Standard of Care; No Sale or Sharing of Personal Information

Rival acknowledges and confirms that it does not receive or process any Client Personal Data as consideration for any services or other items that Rival provides to Client under the Agreement. Rival shall not: (i) retain, use, or disclose Client Personal Data or combine Client Personal Data with Personal Data from other sources, except as necessary to maintain or provide the Rival Hosted Service and its obligations under the Agreement, this DPA, or as necessary to comply with the law or binding order of a governmental body; (ii) “sell” or “share” (as such terms are defined in the California Privacy Statutes) any Client Personal Data Processed hereunder without Client’s prior written consent; or (iii) retain, use, or disclose Client Personal Data other than in the context of the direct relationship with Client in accordance with the Agreement. Rival shall comply with the California Privacy Statures as applicable to it and notify Client if it determines that it can no longer meet its obligations under the California Privacy Statutes.

11. Relationship with the Agreement

Precedence. The parties agree that DPA shall replace any existing DPA the parties may have previously entered into in connection with the Rival Hosted Service. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with its subject matter.

Liability. The liability of each party and each party’s Affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.

Applicable Law. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Termination. This DPA will continue for so long as Rival is hosting, storing and/or processing Client Personal Data in connection with the Agreement.