Data Processing Agreement (DPA) for Revyoo
Last updated: 22nd November 2024
This Data Processing Agreement (“DPA”) is part of the Terms of Service (“Agreement”) between [Customer Name] (“Customer,” “you,” “your”) and Revyoo (“the Software,” “Processor,” “we,” “our,” “us”). This DPA governs the processing of personal data that we perform on behalf of the Customer in connection with the provision of the Software, in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Definitions
- Data Controller: The entity that determines the purposes and means of the processing of personal data.
- Data Processor: The entity that processes personal data on behalf of the Data Controller.
- Data Subject: Any identified or identifiable individual whose personal data is processed.
- Personal Data: Any information relating to an identified or identifiable individual.
- Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, disclosure, or erasure.
- Sub-Processor: Any third party appointed by the Processor to process personal data on behalf of the Customer.
2. Roles and Responsibilities
- Customer as Data Controller: The Customer acts as the Data Controller for all personal data processed through the Software. As Data Controller, the Customer is responsible for determining the legal basis for processing and ensuring compliance with applicable data protection laws.
- Revyoo as Data Processor: Revyoo acts as the Data Processor and processes personal data on behalf of the Customer in accordance with this DPA and the Customer’s instructions.
3. Types of Personal Data Processed
Revyoo processes the following types of personal data on behalf of the Customer:
- End-user data: Names, email addresses, reviews, feedback, video testimonials, and other information submitted through review requests or landing pages.
- Customer data: Names, email addresses, contact information, login credentials, and other business-related data.
- Usage data: IP addresses, device information, and data related to the usage of the Software.
The scope of the data processed may change based on the services provided by Revyoo, and the Customer will be informed accordingly.
4. Purpose of Processing
Revyoo processes personal data for the following purposes:
- Aggregating reviews from third-party platforms (e.g., Google, Facebook).
- Responding to reviews via artificial intelligence on behalf of the Customer.
- Sending review request campaigns and processing feedback.
- Sharing reviews through widgets and social media platforms.
- Performing analytics to track and enhance reputation management.
- Automating processes such as the sending of review requests.
5. Duration of Processing
The processing of personal data will continue for the duration of the Agreement, unless otherwise required by law or requested by the Customer for data deletion.
6. Processor Obligations
Revyoo agrees to:
- Process data only under instructions from the Customer: We will process personal data only as necessary to provide the Software and in accordance with the Customer’s documented instructions.
- Ensure confidentiality: We will ensure that all employees or contractors involved in processing personal data are subject to a duty of confidentiality.
- Implement security measures: We will implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or disclosure.
- Assist the Customer: We will assist the Customer in fulfilling its obligations to respond to data subject requests (e.g., requests for access, rectification, deletion, or portability) and in ensuring compliance with applicable laws, including performing data protection impact assessments when required.
- Data breach notification: In the event of a personal data breach, we will notify the Customer without undue delay after becoming aware of the breach and provide reasonable information and assistance.
7. Customer Obligations
As Data Controller, the Customer agrees to:
- Provide lawful instructions: The Customer will ensure that all instructions provided to Revyoo are lawful and comply with applicable data protection laws.
- Inform data subjects: The Customer is responsible for providing data subjects with any necessary privacy notices and obtaining the required consents where applicable.
- Ensure legal basis for processing: The Customer must ensure that there is a valid legal basis for processing personal data (e.g., consent, legitimate interest, contract performance).
- Respond to data subject requests: The Customer will handle all data subject requests related to the personal data processed through the Software. Revyoo will assist upon request.
8. Sub-Processors
Revyoo may engage Sub-Processors to process personal data on behalf of the Customer. We will:
- Ensure that any Sub-Processor we engage provides the same level of data protection and security as required by this DPA.
- Inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object.
- Remain fully liable for the performance of our Sub-Processors.
A list of current Sub-Processors can be provided upon request.
9. International Data Transfers
Revyoo may transfer personal data to countries outside the European Economic Area (EEA) or other regions with data protection laws different from those in your jurisdiction. Where such transfers occur, we will ensure that appropriate safeguards are in place to protect the personal data, such as relying on Standard Contractual Clauses (SCCs) or other lawful mechanisms.
10. Security Measures
Revyoo implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data during transmission.
- Access controls to prevent unauthorized access to data.
- Regular security assessments and audits.
- Incident response plans to handle data breaches.
11. Data Subject Rights
Revyoo will assist the Customer in ensuring compliance with data subjects’ rights under applicable data protection laws, including the rights to:
- Access their personal data.
- Rectify inaccurate or incomplete data.
- Request erasure of their data (“right to be forgotten”).
- Restrict or object to the processing of their data.
- Receive their data in a portable format (where applicable).
Requests from data subjects will be forwarded to the Customer for handling, and Revyoo will provide assistance as necessary.
12. Data Retention and Deletion
Upon termination or expiration of the Agreement, Revyoo will, at the Customer’s request:
- Return all personal data processed on behalf of the Customer, or
- Delete all personal data, unless retention is required by law.
13. Audit Rights
The Customer has the right to request audits or inspections of Revyoo‘s processing activities to ensure compliance with this DPA. The Customer agrees that such audits will be conducted at its own cost, with reasonable notice and minimal disruption to our operations.
14. Liability
Both parties agree that their liability under this DPA will be subject to the limitations and exclusions set out in the Agreement, except where such limitations are prohibited by applicable data protection laws.
15. Governing Law
This DPA shall be governed by and construed in accordance with the laws of [insert jurisdiction], without regard to its conflict of laws principles.
16. Termination
This DPA shall remain in effect as long as Revyoo processes personal data on behalf of the Customer. Upon termination of the Agreement, the terms of this DPA will continue to apply for as long as Revyoo retains personal data.
17. Contact Information
If you have any questions or concerns regarding this DPA or your data privacy rights, please contact us at: [insert email address].