Data Protection Agreement
(For your convenience, you can download a PDF version of this agreement here.)
DATA PROCESSING AGREEMENT (DPA)
Effective Date: 25/02/2025
DATA PROCESSING AGREEMENT (DPA)
Effective Date: 25/02/2025
This Data Processing Agreement ("DPA") is entered into by and between:
RevuEdge Ltd, a company registered in the United Kingdom with its registered address at 23 The Larches, Middlesbrough, TS6 0DW, United Kingdom ("RevuEdge Ltd"); and
The entity signing up for RevuEdge Ltd's services ("Controller").
This DPA supplements and forms part of the Terms of Service between the Controller and RevuEdge Ltd, outlining the rights and obligations regarding the processing of personal data in compliance with UK GDPR, Data Protection Act 2018, EU GDPR, and applicable international laws including CCPA/CPRA where relevant.
1. Definitions
- “UK GDPR” – The UK General Data Protection Regulation, as incorporated into UK law by the European Union (Withdrawal) Act 2018, along with the Data Protection Act 2018.
- “EU GDPR” – The General Data Protection Regulation (Regulation (EU) 2016/679), applicable to clients in the European Union.
- “CCPA/CPRA” – The California Consumer Privacy Act and the California Privacy Rights Act, applicable to US clients.
- “Personal Data” – Any information relating to an identified or identifiable individual.
- “Processing” – Any operation performed on Personal Data, including collection, recording, storage, use, and erasure.
- “Subprocessor” – Any third party engaged by RevuEdge Ltd to process Personal Data on behalf of the Controller.
- “Applicable Laws” – UK GDPR, Data Protection Act 2018, and where applicable, EU GDPR, US privacy laws such as CCPA/CPRA, and other relevant regulations.
2. Scope and Purpose
- RevuEdge Ltd shall process Personal Data solely for the purpose of providing the Services under the agreed terms with the Controller.
- RevuEdge Ltd shall not process Personal Data for any other purpose unless required by law.
- This DPA applies to all processing activities performed by RevuEdge Ltd on behalf of the Controller.
3. Roles and Responsibilities
3.1 Controller's Responsibilities
- Ensure that Personal Data shared with RevuEdge Ltd is collected lawfully.
- Obtain necessary consents from data subjects when required.
- Provide clear processing instructions to RevuEdge Ltd.
3.2 RevuEdge Ltd’s Responsibilities
- Process Personal Data only under the Controller’s instructions.
- Implement appropriate technical and organizational measures to protect Personal Data.
- Assist the Controller in responding to data subject requests.
- Notify the Controller of data breaches without undue delay.
4. Subprocessing
4.1 Subprocessors Used by RevuEdge Ltd
RevuEdge Ltd uses third-party service providers (“Subprocessors”) to provide services to our clients. By using RevuEdge Ltd, the client agrees to the processing of data by the following subprocessors:
Subprocessor Purpose DPA Link Business Address
| OpenAI, L.L.C. | AI-generated responses | OpenAI DPA | 3180 18th Street, San Francisco, CA 94110, USA
| Zapier, Inc. | Workflow automation | Zapier DPA | 548 Market St. #62411, San Francisco, CA 94104-5401, USA
| Google Cloud (Google LLC) | Cloud hosting & storage | Google Cloud DPA | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
| Google Docs & Google Sheets (Google LLC) | Document storage & automation | Google Privacy Policy | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
| SendGrid, Inc. (Twilio) | Email delivery service | SendGrid DPA | 375 Beale Street, Suite 300, San Francisco, CA 94105, USA
| Stripe Payments Europe Ltd | Payment processing | Stripe DPA | 1 Grand Canal Street Lower, Dublin 2, Ireland
| PayPal (Europe) S.a.r.l. et Cie, S.C.A. | Payment processing | PayPal DPA | 22-24 Boulevard Royal, L-2449 Luxembourg
| Meta Platforms, Inc. (Facebook & Instagram) | Social media integrations & tracking | Meta DPA | 1601 Willow Road, Menlo Park, CA 94025, USA
| Microsoft Clarity (Microsoft Corporation) | User behavior analytics | Microsoft DPA | One Microsoft Way, Redmond, WA 98052, USA
| Umami Software, Inc. | Privacy-friendly analytics | Umami Privacy Policy
4.2 Conditions for Subprocessing
- Approval: RevuEdge Ltd shall not engage any Subprocessor without the prior written consent of the Controller.
- Subprocessor Obligations: Any Subprocessor engaged by RevuEdge Ltd shall:
- Be bound by data processing obligations that are at least as restrictive as those set out in this Agreement.
- Be required to implement appropriate technical and organizational measures to protect Personal Data.
- Provide the same level of protection and safeguards for Personal Data as RevuEdge Ltd is required to provide.
- Be responsible for ensuring their compliance with the terms of the Agreement.
4.3 Notification of Subprocessor Changes
RevuEdge Ltd shall provide prior written notice to the Controller of any new Subprocessor(s) to be engaged or changes to the existing Subprocessors. The Controller will have the opportunity to object to such changes within [30] days of notification.
4.4 Liability for Subprocessors
RevuEdge Ltd shall remain fully responsible and liable to the Controller for the acts and omissions of any Subprocessor(s) as if they were RevuEdge Ltd's own actions.
5. Security Measures
RevuEdge Ltd will implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data, including:
- Encryption of Personal Data during transmission and at rest.
- Access controls to restrict and monitor access to Personal Data.
- Regular security audits and assessments to evaluate the effectiveness of security measures.
- Incident response protocols for addressing data security breaches.
- Regular staff training on data protection and privacy practices.
6. Data Subject Rights
RevuEdge Ltd shall assist the Controller in fulfilling their obligations to respond to data subject rights requests, including the following:
- Right to Access: The right to obtain confirmation whether or not their Personal Data is being processed, and if so, access to that data.
- Right to Rectification: The right to correct inaccurate Personal Data.
- Right to Erasure: The right to request the deletion of Personal Data, subject to legal exceptions.
- Right to Restrict Processing: The right to request the restriction of Personal Data processing under certain circumstances.
- Right to Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format.
- Right to Object: The right to object to the processing of Personal Data on legitimate grounds.
RevuEdge Ltd will assist in facilitating such requests promptly and in accordance with applicable laws.
7. Data Breach Notification
RevuEdge Ltd shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a data breach involving Personal Data.
RevuEdge Ltd will provide the Controller with details of the breach, including the nature of the breach, the data affected, and the corrective actions taken.
RevuEdge Ltd will provide the Controller with details of the breach, including the nature of the breach, the data affected, and the corrective actions taken.
8. Audit and Inspection Rights
The Controller has the right to audit and inspect RevuEdge Ltd’s compliance with the terms of this DPA, at their own expense. RevuEdge Ltd agrees to provide reasonable assistance to facilitate such audits, including access to relevant records and systems.
9. Retention of Personal Data
RevuEdge Ltd shall retain Personal Data only for as long as necessary to provide the Services, comply with legal obligations, or as agreed with the Controller. Upon termination of the agreement, RevuEdge Ltd will, at the Controller’s discretion, return or securely destroy Personal Data.
10. International Transfers of Personal Data
If Personal Data is transferred to a country outside the United Kingdom or European Economic Area, RevuEdge Ltd will ensure that such transfers comply with applicable data protection laws, including the use of standard contractual clauses, and appropriate safeguards to ensure the protection of Personal Data.
11. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising out of or in connection with this DPA shall be resolved exclusively in the courts of England and Wales.
12. Contact Information
For any questions or concerns about this DPA, please contact us at:
13. Signatures
For and on behalf of RevuEdge Ltd:
Signature: Luke Harland
Title: CEO @ RevuEdge LTD
Date: 25/02/2025
Title: CEO @ RevuEdge LTD
Date: 25/02/2025
© 2025 RevuEdge. All rights reserved.