Cavaliq

Legal

Data processing addendum (DPA)

Effective:
17 May 2026
Last updated:
17 May 2026

In short: When a Club uses Cavaliq, the Club is the data controller of its riders' and horses' data, and Cavaliq is the data processor. This addendum sets out the security, sub-processing, breach-notification, and transfer-mechanism obligations Cavaliq commits to.

This Data Processing Addendum (the “DPA”) supplements the Terms of Service between Cavaliq and the Club. It governs the processing of personal data that the Club provides to Cavaliq, or that Cavaliq otherwise processes on the Club’s behalf, in connection with the platform. In the event of a conflict between the Terms and this DPA on a privacy matter, this DPA controls.

This DPA is designed to be compliant with UAE Federal Decree-Law No. 45 of 2021 (PDPL), the EU and UK GDPR (Article 28), the Saudi PDPL (Royal Decree M/19 of 2021), and equivalent GCC laws.

1. Definitions

  • Applicable Data Protection Law means any law applicable to the processing of personal data under this DPA, including UAE PDPL, GDPR, UK GDPR, Saudi PDPL, and equivalent laws of the countries where the Club operates.
  • Personal Data, Processing, Controller, Processor, Data Subject, and Sub-processor have the meanings given in the Applicable Data Protection Law.
  • Club Personal Data means Personal Data that the Club or its end-users provide to Cavaliq, or that Cavaliq processes on behalf of the Club.
  • Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Club Personal Data.

2. Roles

For all Club Personal Data:

  • The Club is the Controller.
  • Cavaliq is the Processor.

Cavaliq will only process Club Personal Data in accordance with the Club’s documented instructions, which are taken to be: (a) the Terms of Service; (b) this DPA; (c) any documented configuration of the platform that the Club applies; (d) any specific written instruction the Club gives. Cavaliq will inform the Club if, in its opinion, an instruction infringes Applicable Data Protection Law.

3. Scope and purpose of processing

  • Subject matter: Provision of the Cavaliq platform.
  • Duration: For the term of the Club’s subscription, plus the export window and the retention period defined in the privacy policy.
  • Nature: Hosting, storage, backup, transmission, retrieval, analysis, and deletion of Club Personal Data.
  • Purpose: Enabling the Club to manage bookings, riders, horses, staff, payments, and communications.
  • Categories of Data Subjects: The Club’s staff, coaches, riders, parents and guardians, horse owners, and any other end-users the Club invites.
  • Categories of Personal Data: Identity and contact data; account and authentication data; rider profile data; emergency-contact data; medical notes and allergies (sensitive); horse ownership and care data; booking and lesson history; payment-token and transaction-reference data; product-usage and audit data.

4. Security measures

Cavaliq will implement and maintain appropriate technical and organisational measures to protect Club Personal Data against the risks listed in Applicable Data Protection Law. These measures include:

  • Encryption in transit: TLS 1.2 or higher on every external connection. HSTS enforced.
  • Encryption at rest: Database storage encryption. Field-level encryption of designated sensitive fields (rider medical notes, horse veterinary diagnosis and treatment).
  • Access control: Multi-factor authentication for staff with production access. Least-privilege role-based access inside Cavaliq. All access reviewed periodically.
  • Tenant isolation: Application-layer tenant scoping enforced on every database query, with automated tests verifying that one Club cannot access another Club’s data.
  • Audit logging: Per-request audit log of who accessed or changed what. Logs retained for at least 12 months.
  • Network: Strict outbound allow-list; Content Security Policy with nonce-based script-src; rate limiting on public endpoints.
  • Vulnerability management: Automated dependency scanning, regular patching, and an internal review of security findings.
  • Backups: Encrypted backups of the production database with a documented restore process.
  • Personnel: Confidentiality obligations on all staff and contractors with access to Club Personal Data.

5. Confidentiality

Cavaliq ensures that anyone it authorises to process Club Personal Data is bound by appropriate confidentiality obligations.

6. Sub-processors

The Club provides general authorisation for Cavaliq to engage sub-processors, subject to the conditions in this section.

  • Cavaliq publishes its current sub-processors on the subprocessors page.
  • Cavaliq will give the Club at least 10 days’ notice before adding or replacing a sub-processor. Notice will be by email to the billing contact on file and by updating the subprocessors page.
  • The Club can object to a new sub-processor on reasonable data protection grounds within the notice period. If the parties cannot agree on a way to address the objection, the Club may terminate its subscription at the end of the then-current billing period with a pro-rata refund of any prepaid fees covering the period after termination.
  • Each sub-processor is bound by written terms that impose obligations equivalent to those in this DPA.

7. Data subject rights

Cavaliq will, taking into account the nature of the processing, provide reasonable assistance to the Club so the Club can respond to data subject requests under Applicable Data Protection Law. If Cavaliq receives a request directly from a data subject about Club Personal Data, Cavaliq will forward it to the Club rather than respond directly, unless it is legally required to act.

8. Security incident notification

Cavaliq will notify the Club without undue delay, and in any event:

  • within 72 hours of becoming aware of a Security Incident affecting Club Personal Data, where Applicable Data Protection Law requires the Club to notify a regulator within 72 hours; and
  • without undue delay in all other cases.

Each notification will include, to the extent known at the time:

  • A description of the nature of the Security Incident and the categories and approximate number of Data Subjects and records concerned;
  • The name and contact details of Cavaliq’s point of contact;
  • The likely consequences of the Security Incident;
  • The measures Cavaliq has taken or proposes to take to address it.

Cavaliq will follow up with additional information as the investigation develops. Cavaliq will also assist the Club, taking into account the nature of the processing, in carrying out any required notification to data subjects or supervisory authorities.

9. DPIAs and prior consultation

Cavaliq will provide reasonable assistance to the Club in carrying out any data protection impact assessment or prior consultation with a supervisory authority that the Club is required to perform in connection with the platform.

10. International transfers

The Club acknowledges that Cavaliq processes Club Personal Data outside the country of origin of the Data Subjects, including in the United States and at global Cloudflare edge locations (see the subprocessors page). Cavaliq will rely on the following safeguards as applicable:

  • EU Standard Contractual Clauses where transfers are made from the EEA or UK;
  • The transfer mechanisms permitted under UAE PDPL and Saudi PDPL for transfers from those jurisdictions;
  • Other lawful safeguards required by Applicable Data Protection Law.

11. Audits

Cavaliq will make available to the Club all information reasonably necessary to demonstrate compliance with this DPA. On reasonable written notice, and no more than once per twelve months unless required by a regulator or following a Security Incident, the Club may audit Cavaliq’s data protection practices. Audits will be conducted during normal business hours, will not unreasonably disrupt operations, and will respect the confidentiality of Cavaliq’s other customers. Cavaliq may satisfy an audit request by providing third- party attestations or reports where available.

12. Return and deletion of data

On termination of the subscription, Cavaliq will make Club Personal Data available for export for 30 days. After that, Cavaliq will delete or anonymise Club Personal Data in accordance with the retention schedule in the privacy policy, subject to any legal retention requirement (for example, payment records required by tax law).

13. Liability and precedence

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. In the event of a conflict between this DPA and the Terms on a privacy matter, this DPA controls.

Data processing addendum · Cavaliq