Data Processing Addendum

Effective Date: December 9, 2024

This Data Processing Addendum ("DPA") forms part of the RevnuView Customer Terms of Service (the "Agreement") between RevnuView, Inc. ("RevnuView," "we," "us," or "our") and Customer ("you" or "your"). This DPA governs the processing of Personal Data in connection with the Subscription Services.

1. Definitions

1.1 General Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by RevnuView on behalf of Customer in connection with the Subscription Services.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data. Customer is the Controller.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller. RevnuView is the Processor.
  • "Sub-processor" means any third-party processor engaged by RevnuView to process Personal Data.
  • "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including but not limited to the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other similar legislation.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

2. Scope and Roles

2.1 Scope of Processing

This DPA applies to all Personal Data processed by RevnuView on behalf of Customer in connection with the Subscription Services, including but not limited to:

  • Contact information (names, email addresses, phone numbers, job titles)
  • Sales activity data (email opens, link clicks, document views, meeting attendance)
  • Engagement metrics (time spent, interaction frequency, heat map data)
  • Deal and account information
  • User account data (login credentials, preferences, usage logs)

2.2 Roles and Responsibilities

Customer as Controller: Customer is the Controller of Personal Data and is responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring lawful basis for processing (e.g., consent, legitimate interest)
  • Providing privacy notices to Data Subjects
  • Responding to Data Subject requests
  • Compliance with Data Protection Laws

RevnuView as Processor: RevnuView is the Processor and will:

  • Process Personal Data only on documented instructions from Customer
  • Implement appropriate technical and organizational security measures
  • Assist Customer in responding to Data Subject requests
  • Notify Customer of data breaches without undue delay
  • Delete or return Personal Data upon termination

3. Processing Instructions

3.1 Lawful Processing

RevnuView will process Personal Data only in accordance with Customer's documented instructions, which include:

  • Processing necessary to provide the Subscription Services as described in the Agreement
  • Processing to comply with applicable legal obligations
  • Processing as otherwise instructed by Customer through the platform or in writing

3.2 Prohibited Processing

RevnuView will not:

  • Sell Personal Data to third parties
  • Process Personal Data for purposes other than providing the Subscription Services
  • Retain Personal Data longer than necessary or beyond the Subscription Term
  • Transfer Personal Data outside the scope of this DPA without Customer's consent

4. Security Measures

4.1 Technical and Organizational Measures

RevnuView implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access control (RBAC) with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and regular security audits
  • Incident Response: 24/7 monitoring and incident response procedures
  • Employee Training: Regular security and privacy training for all personnel
  • Vulnerability Management: Regular penetration testing and vulnerability scanning

For detailed security practices, see our Security Statement.

4.2 Data Breach Notification

In the event of a Personal Data breach, RevnuView will:

  • Notify Customer without undue delay (within 72 hours of discovery)
  • Provide details of the breach, affected Data Subjects, and potential consequences
  • Describe measures taken to address the breach and mitigate harm
  • Cooperate with Customer in notifying Data Subjects and regulatory authorities as required

5. Sub-processors

5.1 Authorized Sub-processors

Customer authorizes RevnuView to engage the following categories of Sub-processors:

  • Cloud Infrastructure: AWS, Google Cloud Platform, Microsoft Azure
  • Email Delivery: SendGrid, Postmark, AWS SES
  • Analytics: Mixpanel, Amplitude (anonymized data only)
  • Payment Processing: Stripe
  • Customer Support: Intercom, Zendesk

5.2 Sub-processor Obligations

RevnuView will:

  • Enter into written agreements with Sub-processors imposing data protection obligations equivalent to this DPA
  • Remain fully liable for Sub-processor performance
  • Notify Customer of any intended changes to Sub-processors with at least 30 days' notice
  • Allow Customer to object to new Sub-processors on reasonable grounds

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

RevnuView will assist Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Right of Access: Provide copies of Personal Data
  • Right to Rectification: Correct inaccurate Personal Data
  • Right to Erasure: Delete Personal Data ("right to be forgotten")
  • Right to Restriction: Limit processing of Personal Data
  • Right to Data Portability: Export Personal Data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests

6.2 Customer Responsibility

Customer is responsible for responding to Data Subject requests directly. RevnuView will provide reasonable assistance and access to Personal Data as necessary to facilitate Customer's response within 10 business days of request.

7. International Data Transfers

7.1 Data Residency

Personal Data is primarily stored in data centers located in the United States. Customer acknowledges and consents to the transfer of Personal Data to the United States and other countries where RevnuView or its Sub-processors operate.

7.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed adequate by the European Commission, RevnuView relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other lawful transfer mechanisms as recognized under Data Protection Laws

8. Data Retention and Deletion

8.1 Retention Period

RevnuView will retain Personal Data only for as long as necessary to provide the Subscription Services and fulfill the purposes outlined in this DPA, or as required by applicable law.

8.2 Deletion Upon Termination

Upon termination or expiration of the Agreement, RevnuView will:

  • Delete or return all Personal Data to Customer within 30 days, unless legally required to retain
  • Provide Customer with the option to export Personal Data prior to deletion
  • Certify deletion upon Customer's written request

9. Audits and Compliance

9.1 Audit Rights

Customer may audit RevnuView's compliance with this DPA once per year, subject to:

  • 30 days' prior written notice
  • Execution of a confidentiality agreement
  • Conducting audits during business hours and in a manner that does not disrupt operations
  • Customer bearing all costs of the audit

9.2 Certifications

RevnuView maintains the following certifications and compliance frameworks:

  • SOC 2 Type II (in progress)
  • GDPR compliance
  • CCPA compliance
  • ISO 27001 (planned)

10. Liability and Indemnification

10.1 Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

10.2 Indemnification

RevnuView will indemnify Customer against claims arising from RevnuView's breach of this DPA, subject to the indemnification procedures in the Agreement.

11. Term and Termination

This DPA will remain in effect for the duration of the Agreement. Upon termination of the Agreement, the data deletion provisions in Section 8.2 will apply.

Contact for Data Protection Inquiries

For questions about data processing or to exercise Data Subject rights, please contact: [email protected]

Last updated: December 9, 2024