Data Processing Agreement
https://revmo.ai/legal/dpa
This Revmo AI Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the Revmo AI Subscription Services under the Revmo AI Customer Terms of Service available at https://revmo.ai/legal/#terms-of-service, as may be updated from time to time, between you and us (also referred to in this DPA as the “Agreement”).
1. Definitions. In this Agreement, these terms will have the following meanings:
“Controller” means a person that, either alone or with another person, determines the purposes and means of Processing Personal Data, and includes a “Business” as defined by CCPA.
“Data Incident” means any unauthorized destruction, loss, alteration, disclosure, acquisition or use of, or access to, Personal Data Processed under this Agreement.
“Data Protection Laws” means all state, federal, national, or international laws, rules, and regulations applicable to the Personal Data Processed under this Agreement. Data Protection Laws may include, without limitation: EU Regulation 2016/679 (“EU GDPR”), EU Directive 2002/58/EC (the “ePrivacy Directive”), and any laws, regulations, or rules implementing the foregoing, or implemented in European Union Member States thereunder, and any successor directives or regulations thereof then in effect, the UK Data Protection Act 2018, the UK GDPR (as defined in the Data Protection Act 2018), the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; the Swiss Data Protection Act 2020 (collectively “European Data Protection Laws”); the then-current version of the Payment Card Industry Data Security Standard (“PCI-DSS”); and Cal. Civ. Code §§ 1798.80 et seq., 1798.100 et seq. and its implementing regulations (“CCPA”).
“Data Subject” means any natural person to whom, or household to which, Personal Data relates.
“Personal Data” means any Customer Data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject, including without limitation, all information defined as “Personal Information” or analogous definitions in applicable Data Protection Laws. “Personal Data” does not include data that has been anonymized such that it no longer identifies and cannot be reasonably used to identify any Data Subject.
“Processing” or “Processed” or “Processes” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a person, to the extent that person Processes Personal Data on behalf of a Controller, including persons defined as “Service Providers” or similar under analogous definitions under applicable Data Protection Laws.
2. Compliance. Revmo will comply with all applicable Data Protection Laws, as well as all other laws, rules and regulations applicable to Revmo’s Processing of Personal Data.
3. Controller/Processor. The parties intend for Customer to act as the Controller, and Revmo to act as the Processor with respect to the Personal Data Processed under the Terms of Service and this Agreement.
4. Processing Purpose/Limitation. Customer authorizes Revmo to Process Personal Data: (a) as necessary to provide the Services, subject to the specifications and limitations set forth in the Terms of Service and this Agreement; and (b) as otherwise mutually agreed in advance and in writing. Revmo will not (y) sell (as defined in applicable Data Protection Laws) or share (as defined in CCPA), or (z) retain, use, or disclose any Personal Data for commercial purposes or any purpose other than the direct business relationship between the parties, or for the purpose of providing services to another person or entity except: (i) as necessary to fulfill Customer’s authorized business purposes as provided herein; or (ii) as otherwise required by applicable law or regulations, provided Revmo notifies Customer of such legal requirement before Processing (unless the law prohibits such disclosure on public interest grounds). Revmo may not combine Personal Data received from or Processed on behalf of Customer with Personal Data it receives from or on behalf of third parties, except that Revmo may combine Personal Data to perform any business purpose (as defined by CCPA), and to the extent such combination is authorized under the Terms of Service or Data Protection Laws.
5. Authorized Persons. Revmo will ensure that persons authorized by Revmo to Process the Personal Data, including without limitation all approved Subprocessors (as defined below), are under an appropriate contractual or statutory obligation of confidentiality with respect to such Personal Data.
6. Subprocessing. Revmo may appoint additional Processors to Process Personal Data on Revmo’s behalf or perform its obligations under the Terms of Service (“Subprocessor”). Revmo will notify Customer of any new or modified Subprocessors as soon as reasonably practicable following Revmo’s decision to engage or change such Subprocessor, and in any event, prior to such Subprocessor’s Processing of Personal Data. Customer shall have the right to object to the engagement of such Subprocessor for reasonable cause. Revmo shall authorize Subprocessors to Process Personal Data only to the extent necessary to perform the Subprocessor’s obligations. Revmo accepts liability for, and shall remain liable to Customer with respect to any such third parties’ Processing of Personal Data.
7. Deletion and Retention. Revmo will cease Processing Personal Data upon the earlier of: (a) the termination or expiration of Revmo’s obligations under the Terms of Service (including without limitation any data retention obligations); or (b) the written request of the Customer. In each case, Revmo will, at Customer’s option, either return or delete such Personal Data. The foregoing obligations shall not apply to the extent and for so long as Revmo is required to retain such Personal Data under applicable law or regulations, pursuant to its obligations under the Terms of Service which survive such expiration/termination, and to the extent stored in connection with reasonable backup and disaster recovery processes conducted in the ordinary course of business. Revmo’s obligations under this Agreement shall survive any termination of the Terms of Service or this Agreement for so long as Revmo remains in possession or control of, has access to, or otherwise Processes Personal Data.
8. Security. Revmo shall implement appropriate technical, organizational, and physical security measures to ensure a level of security appropriate to protect Personal Data from unauthorized access, use, modification, disclosure, or other Processing.
9. Data Incidents. Revmo shall take appropriate and all necessary steps to investigate, contain, remediate the cause, and mitigate any immediate risks to Personal Data arising from any Data Incident. Revmo shall notify Customer without undue delay if Revmo confirms a Data Incident. Revmo will provide, subject to reasonable confidentiality obligations and redactions of privileged information, appropriate information available regarding the scope, nature, and effects of the Data Incident and affected Data Subjects. Revmo shall assist Customer with any updates or further information on Customer’s reasonable request, and as required to fulfill the parties’ obligations Data Protection Laws.
10. Data Subject Rights. Customer will promptly notify Revmo of any inquiry or notice from any supervisory authority regarding a party’s Processing of Personal Data under this Agreement or compliance with applicable Data Protection Laws. To the extent Customer cannot fulfil a request itself using the tools available in the Hosted Services, Revmo will cooperate as reasonably necessary, including through the use of appropriate technical and organizational means, to assist Customer in the fulfilment of its obligations in relation to a Data Subject’s request to exercise their rights in Personal Data, or in connection with any response to Data Subjects or supervisory authorities.
11. International Transfers. Customer authorizes Revmo’s Processing of Personal Data without limitation in the United States as required pursuant to the Terms of Service. Revmo shall ensure that Personal Data remains adequately protected to the extent required under applicable Data Protection Laws. On written request of Customer, the parties shall negotiate in good faith any further agreements or supplemental measures which may be required under applicable Data Protection Laws in relation to the international transfer of Personal Data prior to any such transfer.
12. Assistance. To the extent necessary in relation to Revmo’s Processing of Personal Data hereunder, Revmo will provide reasonable assistance to Customer with any data protection impact assessments or any prior consultations with supervisory authorities which may be required under applicable Data Protection Laws.
13. Compliance Information. Revmo shall keep complete records that are sufficient to demonstrate Revmo’s compliance with the Data Protection Laws throughout the Term.
14. Audits. Revmo agrees to permit Customer, not more than once every twelve (12) months (except in the event of a Data Incident or request of a component regulatory authority), to conduct an assessment of Revmo’s compliance with this Agreement. The parties agree that this obligation is fulfilled by Revmo making available, upon request, and subject to appropriate redactions and confidentiality obligations, Revmo’s then-current independent third-party certifications or audit reports, answering reasonable questionnaires from Customer, and providing other relevant documentation necessary to demonstrate compliance. If, and solely to the extent the foregoing are insufficient to demonstrate Revmo’s compliance with this Agreement, or where further reviews or audits are required by Data Protection Laws, the parties shall negotiate in good faith regarding the scope and nature of such reviews and audits, provided that any such reviews/audits: (a) shall be limited to the extent necessary for Revmo to demonstrate compliance with this Agreement or comply with the requirements of Data Protection Laws or request of the competent supervisory authority; (b) may be limited, in Revmo’s reasonable discretion, to the extent necessary to avoid disclosure of third party confidential information; (c) shall be subject to any relevant requirements or limitations of Revmo’s authorized Subprocessors; and (d) shall be conducted on no less than two weeks’ prior notice, in good faith, with minimal disruption, and during normal business hours.
15. Non-Compliance Notice. Revmo will promptly inform Customer if, in its opinion, an instruction of Customer violates any Data Protection Laws. Further, in the event Revmo (or Subprocessor or other third party to whom Revmo discloses Personal Data) becomes aware that it is unable to comply with applicable Data Protection Laws, Revmo shall promptly notify Customer and either (a) promptly take all steps necessary to comply with all applicable Data Protection Laws, or (b) cease Processing Personal Data to the extent not compliant with applicable Data Protection Laws.
16. Priority. To the extent of any inconsistency or conflict among the following, the order of precedence shall be: (a) this Agreement; and (b) the Terms.
17. Changes. In the event of any change in the Data Protection Laws, the parties will negotiate in good faith toward an agreement on any additional contractual terms which may be required following such change.