Data Processing Agreement

1. Roles and scope

The Controller determines the purposes and means of processing personal data submitted to the Service (“Customer Personal Data”). RevSprint acts as Processor and processes Customer Personal Data only on documented instructions from the Controller, which include the instructions set out in the Terms of Service, in this DPA, and as configured by the Controller within the Service.

2. Definitions

Terms such as “controller”, “processor”, “personal data”, “processing”, “personal data breach”, and “data subject” have the meanings given in the UK GDPR. “Sub-processor” means any third party engaged by RevSprint to process Customer Personal Data on behalf of the Controller.

3. Subject matter, nature, and purpose

• Subject matter: processing of Customer Personal Data to provide the Service.
• Duration: the term of the subscription, plus a short wind-down period for deletion or return.
• Nature and purpose: hosting, storage, retrieval, analysis, and display of Customer Personal Data, the generation of summaries and suggested actions, and the delivery of the features configured by the Controller.
• Categories of data subjects: Authorised Users of the Controller and individuals whose details the Controller chooses to process in the Service (for example customers, prospects, staff, suppliers).
• Categories of personal data: contact details, business role, communications, interaction history, and any other fields the Controller elects to store. The Service is not intended for special-category data.

4. Processor obligations

• Process Customer Personal Data only on documented instructions from the Controller.
• Ensure personnel authorised to process Customer Personal Data are under an appropriate duty of confidentiality.
• Implement appropriate technical and organisational measures in accordance with section 7 below.
• Engage Sub-processors only under the conditions set out in section 5 below.
• Assist the Controller, at the Controller’s cost where reasonable, with data subject requests, data protection impact assessments, and consultations with the ICO.
• Notify the Controller without undue delay of any personal data breach in accordance with section 8 below.
• Delete or return Customer Personal Data on termination in accordance with section 10 below.
• Make available to the Controller the information necessary to demonstrate compliance with Article 28 of the UK GDPR.
• Not use Customer Personal Data to train, fine-tune, or improve any foundational AI model, nor any model offered to other Controllers, and contractually require any Sub-processor that processes Customer Personal Data through a machine-learning or large language model API to exclude that data from its model training pipelines.

5. Sub-processors

The Controller grants general authorisation to RevSprintto engage Sub-processors, subject to a written contract that imposes data protection obligations equivalent to those in this DPA. We will maintain a list of current Sub-processors and notify the Controller of any proposed addition or replacement with at least 30 days’ notice. The Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if unresolved, the Controller may terminate the affected part of the subscription.

Current categories of Sub-processors: cloud infrastructure and managed database hosting; large language model and embedding providers; transactional email delivery; payment processing and invoicing; error monitoring and application performance monitoring; privacy-preserving website analytics. A detailed, up-to-date list of named Sub-processors is available on request to dpo@revsprint.ai. Controllers may subscribe at the same address to receive email notifications of any proposed addition or replacement of a Sub-processor at least 30 days in advance.

6. International transfers

Where RevSprint transfers Customer Personal Data outside the United Kingdom, it will do so under the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism. Controller hereby authorises such transfers for the purposes of providing the Service. Copies of the transfer safeguards are available on request.

7. Security measures

RevSprint implements and maintains technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and accidental loss, destruction, or damage, including:

• Encryption of data in transit using TLS and at rest.
• Role-based access control, least-privilege service accounts, and tenant isolation of Customer Personal Data.
• Multi-factor authentication for administrative access and strong password requirements.
• Append-only audit logging of administrative and privileged actions.
• Secure software development, code review, vulnerability management, and dependency scanning.
• Regular backups with documented restore procedures and tested incident response.
• Background checks and confidentiality undertakings for personnel with access to Customer Personal Data.

8. Breach notification

RevSprint will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Assistance with data subject requests

The Service provides self-service tools for the Controller to access, rectify, export, and delete Customer Personal Data. RevSprint will assist the Controller with any data subject request it cannot fulfil through those tools, taking into account the nature of the processing.

10. Return or deletion on termination

On termination or expiry of the subscription, RevSprint will delete or return all Customer Personal Data, at the choice of the Controller, within 30 days, except where retention is required by applicable law. Backups will be deleted in the ordinary course of business in line with our backup rotation schedule.

In line with the right to data portability under the UK GDPR and the EU Data Act, the Service provides self-service tools for the Controller to export Customer Personal Data in commonly used, machine-readable formats throughout the term and during the 30-day wind-down period. RevSprintwill not impose contractual, commercial, or technical barriers on the Controller’s switch to another service provider.

11. Audits

RevSprint will make available to the Controller, on reasonable request, information necessary to demonstrate compliance with Article 28. Where a Controller requires further audit, the parties will agree the scope, timing, and cost in advance. Third-party audit reports and certifications, where available, will be provided to satisfy audit obligations.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

13. Contact

Questions about this DPA or to request the current Sub-processor list: dpo@revsprint.ai.