Data Processing Addendum (Draft)

1. Roles and scope

When a site owner uses Riverbank CMS to collect or manage customer data on their own site, the site owner is usually the controller and Riverbank is usually the processor for that customer data.

Riverbank remains a controller for its own platform-account, billing, support, and operational-security data. This draft addendum covers Riverbank's processor role for customer data handled on behalf of site owners.

2. Customer instructions

Riverbank processes customer data on the documented instructions of the site owner as reflected in the customer’s use of the platform, site configuration, support requests, and enabled integrations.

The site owner remains responsible for deciding what data to collect, the lawful basis for that collection, and the accuracy of any notices shown to end customers.

• choosing which forms, bookings, payments, portal features, and integrations to enable
• avoiding unnecessary or unlawful collection of personal data
• ensuring the customer's own privacy notice and terms remain accurate

3. Confidentiality and access

Riverbank limits access to customer data to people who need it for platform operations, customer support, security, or related service delivery work.

That access should be subject to confidentiality expectations and least-privilege controls appropriate to the role being performed.

4. Security measures

Riverbank aims to apply reasonable technical and organisational measures appropriate to the nature of the service and the data involved.

• authenticated access controls and role-based access patterns
• encryption in transit
• logging and monitoring for reliability and security operations
• service maintenance and security updates

5. Subprocessors

Riverbank uses a limited set of direct subprocessors to deliver the platform. The current inventory is maintained on the Subprocessors page linked below.

Customer-configured downstream services such as webhook targets or customer-linked calendar/integration endpoints are listed separately from Riverbank's direct subprocessors.

6. Assistance with privacy requests

The site owner remains the primary point of contact for access, correction, deletion, portability, and objection requests relating to the customer data they control.

Where Riverbank acts as processor, Riverbank will provide reasonable assistance through the tools and operational processes available in the service at the time of the request.

7. Deletion and return

At the end of the service relationship, Riverbank expects to work with the customer on deletion or return of processor-side customer data, subject to platform limitations, legal obligations, security needs, and dispute or accounting retention requirements.

Some deletion and export workflows are still being formalised in product and operations work, so support may be partly operational rather than fully self-serve at this stage.

8. Security incidents

If Riverbank becomes aware of a confirmed personal data incident affecting processor-side customer data, Riverbank expects to work with affected customers without undue delay and share the information reasonably needed for the customer to assess their obligations.

The exact content and timing of any notification will depend on the facts of the incident, the systems involved, and the information available at the time.

9. International transfers

Some platform providers may process data outside the UK or EEA. Riverbank expects to rely on provider contractual commitments, adequacy-based protections where available, or similar provider-documented safeguards when those transfers occur.

For contract-critical or regulated use, customers should confirm the latest provider-specific transfer posture with Riverbank because this draft page is a maintained summary, not a substitute for provider legal documentation.

10. Contact and status

This draft is published for transparency and operational clarity. It may be supplemented by a signed agreement or updated after legal review.

For questions about these processor materials, contact info@riverbankdigital.co.uk.

Support boundaries at a glance