Data Processing Agreement
Personal data processing terms in accordance with GDPR
1. Background
This data processing agreement ("DPA") is incorporated by reference into the Terms and forms an integral part of the Agreement between Revial (Service Provider) and Customer. It establishes conditions for how the Service Provider processes personal data on behalf of the Customer.
2. Scope
When Customer inputs personal data into the Services or it is processed during service delivery, both parties acknowledge that Customer acts as the controller and Service Provider as the processor, handling personal data on Customer's behalf for service provision purposes.
In case of conflicts between this DPA and other Agreement terms, this DPA takes precedence.
3. Definitions
Terms used here—such as "controller," "processor," "data subject," and "personal data"—carry meanings consistent with the General Data Protection Regulation (EU) 2016/679 and other applicable data protection legislation.
4. Personal Data Processing
The purpose of processing is delivering Services to Customer. This includes storage, maintenance, and necessary operational handling. Processing details, affected groups, and data types are outlined in Appendix 1.
Data processing continues throughout the service period and afterward if required by law or contractual obligations.
5. Customer Instructions and Responsibility
Service Provider processes data according to written instructions confirmed in this DPA. This document constitutes Customer's complete written guidance. Additional instructions require separate written agreement.
Customer ensures its data processing complies with applicable data protection regulations.
6. Service Provider's General Obligations
Upon written request and at Customer's expense, Service Provider assists with responding to data subject or authority requests. Assistance is billable at standard hourly rates unless otherwise agreed.
Service Provider promptly notifies Customer of requests from data subjects to exercise rights under GDPR.
Service Provider maintains records of its processing activities to demonstrate compliance, providing sufficient information to Customer upon written request.
7. Data Security
Service Provider implements appropriate technical and organizational measures ensuring adequate security levels and protecting personal data from unauthorized processing, accidental loss, destruction, damage, alteration, or disclosure. Security measures are described in Appendix 2.
The Service Provider may update security measures while maintaining adequate protection standards.
Upon learning of a personal data breach, Service Provider notifies Customer promptly and takes reasonable steps to mitigate harm. Notifications include: (a) breach nature description and affected groups; (b) contact information for further details; (c) probable consequences; and (d) implemented or proposed remedial actions.
Service Provider cooperates commercially reasonably in authority breach notifications and maintains breach documentation for Customer review.
8. Sub-processors
Service Provider may use sub-processors for service delivery. Information about sub-processors appears in Appendix 3 and on the website with current information.
Service Provider provides written notice of sub-processor changes at least fourteen (14) days in advance, allowing Customer adequate time to object. Customer consents to sub-processor use as described.
Service Provider ensures sub-processors maintain substantially equivalent data protection obligations and is responsible for their compliance.
9. Personal Data Transfers
The Service uses sub-processors, some located within the European Economic Area ("EEA"), where personal data remains. Some sub-processors may operate outside the EEA (per Appendix 3), which Customer accepts if the sub-processor: (i) executes transfers under applicable EU Standard Contractual Clauses (SCC); or (ii) uses other suitable mechanisms like EU-U.S. Data Privacy Framework or adequacy decisions.
10. Audits
Upon written request and at Customer's expense, Customer may audit Service Provider's DPA and GDPR compliance once per twelve (12) months. Audit reports are considered Service Provider's confidential information.
11. Data Confidentiality
Service Provider ensures personnel and entities processing data under this DPA maintain appropriate confidentiality. Confidentiality obligations otherwise follow the Terms.
12. Other Terms, Effectiveness, and Termination
Terms provisions apply otherwise, including liability and damages limitations.
This DPA becomes effective with the main Agreement and remains in force until Agreement termination or while Service Provider processes Customer data.
Unless Customer directs otherwise in writing and unless law requires retention, Service Provider deletes and destroys processed personal data within timeframes in Terms section 4.4 during which Customer can retrieve data from the Service.
Appendix 1: Processing Details
The following information supplements this DPA and describes the parties to, the nature, purpose, and duration of the processing, as well as the types of personal data and categories of data subjects, as required by Article 28 of the GDPR.
Controller: The Customer (the customer organization defined in Revial's main agreement). Address: The Customer's official address (as stated in the main agreement). Contact person: The Customer's representative (e.g., signatory or data protection contact person).
Role: Controller – The Customer uses the Revial Service for the processing of personal data for its own purposes (sales and customer relationships) and determines the purposes and means of processing.
Processor: Spinder Company Oy (Business ID 3384117-2, a Finnish limited liability company). Address: c/o Toinen Toimisto, Kempeleentie 7, 90400 Oulu. Contact person: Revial's data protection officer or contact person (support@revial.com).
Role: Processor – Revial provides a cloud-based sales software service (including AI features) and processes the Customer's personal data on behalf of the Customer for the purpose of providing the Service in accordance with the terms of the main agreement.
Nature and Purpose of Processing: The processing of personal data is necessary for Revial to provide the Customer with the functionalities of the Service. Processing includes, among other things, storing data in Revial's cloud-based system (customer data and notes in a CRM-type manner), organizing and retrieving data, producing AI-based analyses and summaries from content entered by the Customer (e.g., automatic summarization of meeting notes or generation of email drafts), and communication features (e.g., email integration, reminders). Processing is predominantly automated and occurs as a result of actions performed by the Customer in the Service. Revial processes data only to the extent required for the delivery and technical maintenance of the Service.
The purpose of processing is to enable the enhancement of the Customer's sales processes: The Customer can store and manage sales leads, customer data and contacts, track sales conversations, and utilize AI-generated analyses and suggestions as part of its sales work.
Subject Matter and Duration of Processing: The subject matter of processing is personal data provided by the Customer or collected on behalf of the Customer, related to the Customer's sales and customer relationship activities. Processing commences when the Customer first uploads personal data to the Revial Service and continues for the entire duration of the main agreement. Processing of personal data ceases when the main agreement terminates and all of the Customer's personal data has been returned or deleted from Revial's environment in accordance with this DPA. Typically, processing is continuous during the contract period (personal data is added, modified, analyzed, and deleted by the Customer on a regular basis in connection with the use of the Service).
Types of Personal Data: The following main categories of personal data are processed in the Service:
- Contact information: names, professional titles, employer or organization name, work or business email addresses, phone numbers, postal addresses, and other similar contact information. (E.g., contact information of the Customer's sales leads and customers, professional contact information of the Customer's employees.)
- Communication content: content of conversations and messages related to sales and customer contacts. This may include meeting notes, meeting and call recordings and their transcriptions, email messages and threads, chat or messaging platform conversations, proposals and draft contracts, and other documents containing individuals' comments, opinions, scheduling information, etc.
- Event and tracking data: information about actions and interactions in the sales process. For example, records of meeting dates and participants, sent proposals, call or presentation dates, and related outcomes (such as "proposal accepted/rejected," "follow-up call scheduled for date X"). This data may contain a person's name and other information as part of the records.
- User account and log data: basic information related to the accounts of the Customer's authorized users (e.g., employees) in the Service, such as name, username, email address, as well as log data generated from the use of the Service, such as login times, key actions performed by the user (e.g., adding or editing records), the user's device IP address, and other technical event data. This data may be considered personal data when it relates to an identifiable person (the Customer's user).
- Special categories of personal data (e.g., racial/ethnic origin, political opinions, religious beliefs, health or biometric data, criminal record data) are not intended or permitted to be processed in the Service.
Categories of Data Subjects: The personal data processed by the Customer in the Service may relate to the following categories of data subjects:
- Customer's own personnel: The Customer's employees, representatives, or other Service users whose personal data (primarily professional contact information and user account data) is processed in connection with the use of the Service. (E.g., salespeople or team members whose actions are recorded in the system and whose contact information may appear in meeting invitations or communications.)
- Customer's clients and leads: natural persons (sole proprietors, contact persons of business customers, consumer customers) targeted by the Customer's sales or marketing activities and whose data the Customer stores in the system. This group includes, for example, potential customers ("leads"), existing customers, contact persons of business partners, and other business contacts. Their data may include contact information and communication content, as described above.
- Representatives of third parties: other persons who may appear in the data stored by the Customer. For example, if a representative of another company or a reference provider participates in the Customer's sales meeting, their name and speech may be included in the meeting notes or transcription. Similarly, if the Customer records the contact information of an end customer's contact person in the system as part of the sales process, that person is a data subject in the Service.
Duration and Termination of Processing: Processing of personal data continues for the entire duration of the contractual relationship. The Customer may determine data retention periods during the use of the Service (e.g., by regularly deleting data that has become unnecessary). Revial shall comply with the Customer's instructions for data deletion during the contract period as well. Upon termination of the Agreement, personal data shall either be returned to the Customer or permanently deleted, as agreed in Section 12 of the DPA.
Appendix 2: Revial's Technical and Organizational Security Measures
Revial has implemented the following key technical and organizational measures to protect personal data from unauthorized or unlawful processing, loss, destruction, and damage. The measures have been designed taking into account the state of the art, the costs of implementation, the nature, scope, and purposes of the processing, and the risks to personal data.
Access Control: Access to the Customer's personal data is restricted to authorized persons who have a work-related necessity to process the data. Revial uses role-based access rights: employees and system processes are granted only minimum privileges ("need-to-know" and "least privilege" principles). Logging into the system requires strong authentication; access to the service's administrative interfaces requires at a minimum a username and password, and for critical systems additionally multi-factor authentication (MFA), where possible. Default passwords are changed during the deployment phase. Access rights are reviewed regularly, and when an employee's role changes or their employment terminates, their access to personal data is removed or blocked without delay. All persons with access rights must commit to confidentiality (as described in Section 11).
Encryption: Revial protects personal data with strong encryption methods both in transit and at rest. All network traffic between the user's browser (or other client application) and Revial's server is encrypted using the TLS (Transport Layer Security) protocol (at least version 1.2 or newer), preventing unauthorized interception of data during transmission. Data on servers and in databases is encrypted at rest using strong encryption algorithms (e.g., AES-256). Encryption keys are managed securely (using cloud provider key management services or equivalent mechanisms), and access to keys is restricted to a few authorized persons. Backups and removable media containing personal data are also encrypted to ensure data protection under all circumstances.
Network and Application Security: Revial's cloud infrastructure utilizes firewalls and network segmentation to protect personal and customer data. Only essential services and ports are exposed to the internet; otherwise, access to internal databases and services is restricted to Revial's internal network or VPN connections. Revial uses routing and content delivery providers that also handle DDoS protection. At the application layer, Revial has implemented mechanisms to prevent common malicious events (e.g., rate-limiting suspiciously frequent actions such as brute-force login attempts). Revial continuously updates its software components against known vulnerabilities: critical security patches are installed promptly, within a few business days of release at the latest. Revial's code and infrastructure undergo regular vulnerability scans using automated tools. Additionally, Revial periodically commissions external experts to conduct penetration tests of its systems; the results of these tests are reviewed, and any weaknesses identified are remedied without delay.
Logging and Monitoring: Revial monitors its systems to detect security threats and error conditions. Key systems have comprehensive log collection: records include user logins, significant actions (e.g., adding, modifying, and deleting records), system error messages, and server resource usage. These log data are protected against unauthorized modification and are retained for a defined period. Revial has automatic alerts in place – for example, repeated failed login attempts, unusually large database queries, or server performance spikes trigger notifications to the operations team. Revial's team reviews log data and alerts regularly. Any anomalies (e.g., unauthenticated access attempts or unusual data queries) are investigated without delay. Log data is also used for forensics in the event of security breaches.
Personnel Training and Reliability: Security and data protection are part of Revial's corporate culture. New employees are inducted into Revial's security and data protection policies, and all staff receive at least annual training covering GDPR principles, good security practices (e.g., identifying phishing attacks), and the company's internal guidelines on personal data processing. Background checks may be conducted on employees in critical roles during the recruitment phase within the limits permitted by applicable law. All Revial employees have signed confidentiality agreements and are committed to complying with the company's security and data protection policies. Revial has defined internal disciplinary measures in the event an employee breaches data protection or security obligations.
Backups and Continuity: Revial ensures the availability and integrity of personal data by maintaining regular backups. Databases containing personal data are backed up daily (or more frequently if business continuity requires). Backups are stored encrypted in a separate storage location (e.g., a different cloud provider's storage or a different region) protected from physical and logical threats. Revial has defined target recovery times: in critical cases, the Recovery Time Objective (RTO) is typically 24–48 hours, and the maximum data loss (Recovery Point Objective, RPO) is at most 24 hours (i.e., backups are frequent enough that at most one day's data may be lost in the worst case). Backup restoration is tested regularly to ensure that data can be read and restored as expected in an actual disruption. Revial has a disaster recovery plan: if the primary server infrastructure suffers a serious failure, Revial can launch its services in a backup environment (potentially in another data center or cloud region) as quickly as possible.
Incident Management: Revial has prepared a written security incident management plan. It defines the actions and responsibilities in the event of suspected or detected security breaches (including a communication plan, escalation path, and cooperation with authorities). Revial's personnel are trained to identify and report security incidents internally without delay. When a potential personal data breach is detected, Revial's designated incident team initiates an investigation: it isolates the affected systems (if necessary, by temporarily taking them offline), identifies the cause and scope of the breach, and takes corrective action. Revial documents every step and conducts a post-incident review to learn from the event. Revial notifies the Customer of personal data breaches in accordance with the DPA and assists the Customer in any necessary notifications to authorities or data subjects.
Sub-processor Management: Revial ensures that the sub-processors it uses (see Appendix 3) comply with at least equally strict security measures as Revial itself. Before engaging a new sub-processor, Revial evaluates the provider's security practices and certifications (e.g., ISO 27001 certification, SOC2 report) and contractually ensures the sub-processor's commitment to data protection obligations. Revial requires its sub-processors to maintain, among other things, confidentiality, adequate staff training, technical protection, and prompt notification to Revial of security breaches. Revial monitors the security level of its key sub-processors, for example, by regularly requesting their audit reports or notifications of security events. If deficiencies are identified in a sub-processor's operations, Revial takes action (e.g., requiring corrections or, if necessary, switching service providers).
Appendix 3: Sub-processors
| Sub-processor | Description (Function) | Location |
|---|---|---|
| Supabase, Inc. | Cloud database, authentication, and storage platform. Hosts Revial's service database containing Customer's personal data (contacts, notes, transcriptions, files). | EU (Stockholm) |
| Stripe, Inc. | Payment service provider. Processes Customer's payment and billing information for secure payment transactions. | EU |
| OpenAI, L.L.C. | AI service provider (language model API). Processes text content submitted to the Service (e.g., meeting notes, message drafts) to generate AI-powered outputs (summaries, suggestions). | EU (primary) / USA (SCC-governed) |
| Skribe VOF (Skribby) | Meeting transcription service. Processes meeting audio recordings and produces text transcriptions for Customer use. | EU (Belgium) |
| Resend, Inc. | Email service provider. Processes email delivery for the Service's communication features. | USA (SCC) |
| Google LLC | Calendar integration (Google Calendar API). Enables synchronization of Customer's calendar data with the Service upon Customer authorization. | USA (SCC, EU-U.S. Data Privacy Framework) |
| Microsoft Corporation | Calendar and email integration (Microsoft Graph API). Enables synchronization of Customer's Microsoft 365 data with the Service upon Customer authorization. | USA (SCC, EU-U.S. Data Privacy Framework) |
| PostHog, Inc. | Analytics service. Collects and processes anonymized usage data to improve the Service and user experience. | EU (Frankfurt) |
| Zapier, Inc. | Integration platform. Enables Customer-configured automations and integrations with third-party services under Customer's direction and authorization. Note: Customer-directed integration. | USA (SCC) |
| Vercel, Inc. | Cloud infrastructure for Revial's application. Provides hosting for the service interface and backend functions, as well as CDN content delivery (enabling global service availability). | EU (primary) & Global CDN (EU/USA, SCC for transfers) |
| OpenAI, L.L.C. | Backup model (language model API). Acts as a fallback system if the primary AI service is unavailable. Not in active use. Processes Customer's text content as needed to generate AI-powered outputs. | EU (primary) / USA (SCC-governed) |