Data Processing Agreement (DPA)

Last updated 29 May 2024

This DPA is between

(a)     The company and its Affiliates (collectively “Customer”) identified in the signature block, and

(b)   Revyz Inc., a company incorporated under the laws of the State of Delaware, having its principal place of business at  35767 Hibiscus Ave, Fremont, CA, 94536, United States of America and its Affiliates (collectively “Revyz”).

Together the “Parties” and each a “Party”.

The Parties agree as follows:

1. Subject matter of this DPA

1.1. This DPA applies to the Processing of Personal Data that is subject to the EU General Data Protection Regulation (“GDPR”) (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

1.2. This DPA supplements the terms of the End User License Agreement (“EULA”) ( a “Service Agreement”), under which Revyz provides certain services (“Services”).

1.3. To the extent Revyz processes Personal Data subject to the GDPR on behalf of Customer in the course of the performance of a Service Agreement, the terms of this DPA shall apply.

1.4. This DPA shall be effective starting on June 1, 2022. 

2. Definitions

2.1. The terms “Processing”, “Personal Data”, “Controller”, “Processor”, “Personal Data Breach” and “Supervisory Authority”, “Commission”, “Member State” shall have meanings given in the GDPR, and their cognate terms shall be construed accordingly.

2.2. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

2.3. “Customer Data” means all Personal Data which is provided to Revyz (or to any sub-processor) by the Customer in connection with the Service Agreement.

3. Customer and Revyz

3.1. Customer

3.1.1. Customer is the Data Controller. Customer will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 24). Customer will not instruct Revyz to process any Customer Data in a manner that would constitute a breach of the GDPR.

3.1.2. Customer warrants that Customer has all the necessary rights to provide the Customer Data to Revyz for the Processing to be performed in relation to the Services. To the extent required by the GDPR, Customer is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should a consent be revoked by the data subject, Customer is responsible for communicating the fact of such revocation to Revyz, and Revyz remains responsible for implementing any Customer instruction with respect to the further processing of that Customer Data.

3.2. Revyz

3.2.1. Revyz is the Data Processor. Revyz will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 28).

4. Processing Instructions

4.1. Revyz will process the Customer Data only as set forth in Customer’s written instructions as set forth in the EULA and in this DPA, or as agreed upon in writing by the parties and to the extent that the processing is appropriate for the provision of the Services, unless Revyz is required to comply with a legal obligation to which Revyz is subject (Art 28(3)(a)). In such a case, the Revyz shall notify the Customer of that legal obligation before processing unless that legal obligation explicitly prohibits the furnishing of such information to the Customer.

4.2. The Parties have entered into a EULA in order to benefit from the expertise of the Revyz in processing the Customer Data for the purposes set out in Exhibit 2. Exhibit 2 describes the processing of Customer Data as required by GDPR, Article 28(3). Customer may make reasonable amendments to Exhibit 2 by written notice to Revyz to meet the GDPR requirements. Nothing in Exhibit 2 (included as amended pursuant to this Section) confers any right or imposes any obligation on any Party to this DPA. Revyz shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this DPA.

5. Confidentiality (Art 28(3)(b))

Without prejudice to any existing contractual arrangements between the Parties, Revyz shall treat all Customer Data with an obligation of confidentiality and shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Customer Data. Revyz shall ensure that all such persons or parties are under an appropriate obligation of confidentiality.

6. Security (Art 28(3)(c))

6.1. Revyz will take all measures required by Article 32 (Security of Processing) of the GDPR.

6.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Revyz shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Customer Data appropriate to the risk (Art 32(1)).

6.3. In assessing the appropriate level of security, Revyz shall take into account the particular risks that are presented by processing, for example, from accidental or unlawful destruction, loss, alteration, unauthorized or unlawful storage, processing, or access or disclosure of Customer Data (i.e. Personal Data Breach) (Art 32(2)).

7. Sub processing (Art 28(3)(d)

7.1. Customer authorizes the engagement of Revyz’s Affiliates as subprocessors (Art 28(2)).

7.2. Customer agrees that Revyz may continue to use those subprocessors already engaged by Revyz as of the date of this DPA (Art 28(2)).

7.3. Customer generally authorizes the engagement of any other third-parties as subprocessors (Art 28(2)).

7.4. Information about subprocessors, including their functions and locations, is available at legal@revyz.io .

7.5. Requirements for subprocessor engagement (Art 28(4)) With respect to each subprocessor, Revyz shall:

7.5.1. Before the subprocessor first processes any Personal Data, carry out adequate due diligence to ensure that the subprocessor is capable of providing the level of protection for Personal Data required by the Service Agreement;

7.5.2. Ensure that the arrangement is governed by a written contract including terms that offer at least the same level of protection for Personal Data as those set out in this DPA and meet the requirements of GDPR Article 28(3);

7.5.3. Remain fully liable for all obligations subcontracted to, and all acts and omissions of the subprocessor.

8. International Data Transfers (Art 28(6)-(8), Art 44 - 46)

8.1. Customer instructs Revyz to transfer Customer Data to any country or territory as is reasonably necessary for the provision of the Services.

8.2. Customer agrees that Revyz and its subprocessors may store and process Customer Data in a country outside of the European Economic Area provided that the European Commission has determined that the country provides an adequate level of protection, or the Commission has determined that a regulatory framework provides an adequate level of protection.  For the purposes of this DPA, the parties agree to rely on Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91 (“Standard Contractual Clauses (EU/EEA)”) and adopted by the Switzerland Federal Data Protection and Information Commissioner (“Swiss FDPIC”) as well as the International Data Transfer Addendum to the Standard Contractual Clauses (EU/EEA) as adopted by the United Kingdom Information Commissioner’s Office (“UK ICO”) for use in connection with data transfers from the United Kingdom (“Standard Contractual Clauses (UK)”). The Standard Contractual Clauses (UK).

8.3. To the extent that a Party relies on a basis for international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to terminate promptly the transfer and to pursue an alternate mechanism that can lawfully support the transfer.

9. Data Subject Rights (Art 28(3)(e))

9.1 Revyz shall use reasonable endeavors to assist the Customer in responding to their Data Subject requests. Revyz shall have at least 30 days, from the time the Customer asks for assistance, to respond to the Customer’s request. The performance and cost of such requests shall be in accordance to the EULA and Revyz’s price list at any giving time.

9.2 Revyz must not disclose the Personal Data to any Data Subject or to a third party and responsibility for responding to requests from Data Subjects shall remain with the Customer.

10. Cooperation (Art 28(3)(f) and (3)(h))

10.1 If requested, Revyz will provide reasonable assistance to the Customer to comply with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Revyz.

10.2 Revyz shall make available to Customer upon request any reasonable information to demonstrate compliance with Revyz’s obligations under this DPA. Revyz shall reply to any requests for information under this Section within 60 days of receiving the request.

10.3 Revyz will perform audits of its Personal Data Processing practices and the information technology and information security controls for its facilities and systems used in complying with its obligations under this Agreement.

11. Incident Management (Art 33 - 34)

11.1. Revyz shall notify Customer without undue delay upon Revyz (or any subprocessor) becoming aware of a Personal Data Breach affecting Customer Data, and provide Customer with sufficient information to allow each it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the GDPR.

11.2. Revyz shall cooperate with Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

11.3. Any notifications made to the Customer pursuant to this Section shall be addressed to the employee of the Customer whose contact details are provided in Exhibit 1 of this DPA, and shall contain:

11.3.1. a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

11.3.2. the name and contact details of the Revyz’s data protection officer or another contact point where more information can be obtained;

11.3.3. a description of the likely consequences of the incident; and

11.3.4. a description of the measures taken or proposed to be taken by the Revyz to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

12. Return or Destruction of Personal Data (Art 28(3)(g))

12.1. Upon termination of this DPA, upon Customer’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, Revyz shall, at the discretion of Customer and within reasonable business efforts, either delete, or destroy Customer’s data.

12.2. Revyz shall notify all subprocessors of the termination of the Data Processing Agreement and shall notify that all such subprocessors either delete or destroy the Personal Data, at the discretion of Customer.

12.3. Revyz and its subprocessors may retain Customer Personal Data to the extent required by a legal obligation and only to the extent and for such period as required by the legal obligation.

13. Limitation of Liability

Revyz’s liability to Customer for any kind of loss or damage arising out of or in connection with breach of this DPA (including breach of contract, tort, misrepresentation or restitution) will: (a) be subject to the exclusions of liability applicable to Revyz in the Service Agreement; and (b) be subject to, and will in no event exceed, the limitation on Revyz’s liability in the Service Agreement. Any liability incurred under this DPA, such as regulatory fines, will be included in the calculation of Revyz’s liability in the Service Agreement.

14. Termination

This DPA will remain in effect until the later of: (a) the termination or expiry of the Service Agreement, and (b) Revyz ceasing to process the Customer Data.

15. General Terms

15.1. The terms of the Service Agreement shall apply to this DPA.

15.2. Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Service Agreement, the DPA shall prevail.

List of sub-processors