Data Processing Agreement
Personal data processing terms in accordance with GDPR
1. Background
This data processing agreement ("DPA") is incorporated by reference into the Terms and forms an integral part of the Agreement between Revial (Service Provider) and Customer. It establishes conditions for how the Service Provider processes personal data on behalf of the Customer.
2. Scope
When Customer inputs personal data into the Services or it is processed during service delivery, both parties acknowledge that Customer acts as the controller and Service Provider as the processor, handling personal data on Customer's behalf for service provision purposes.
In case of conflicts between this DPA and other Agreement terms, this DPA takes precedence.
3. Definitions
Terms used here—such as "controller," "processor," "data subject," and "personal data"—carry meanings consistent with the General Data Protection Regulation (EU) 2016/679 and other applicable data protection legislation.
4. Personal Data Processing
The purpose of processing is delivering Services to Customer. This includes storage, maintenance, and necessary operational handling. Processing details, affected groups, and data types are outlined in Appendix 1.
Data processing continues throughout the service period and afterward if required by law or contractual obligations.
5. Customer Instructions and Responsibility
Service Provider processes data according to written instructions confirmed in this DPA. This document constitutes Customer's complete written guidance. Additional instructions require separate written agreement.
Customer ensures its data processing complies with applicable data protection regulations.
6. Service Provider's General Obligations
Upon written request and at Customer's expense, Service Provider assists with responding to data subject or authority requests. Assistance is billable at standard hourly rates unless otherwise agreed.
Service Provider promptly notifies Customer of requests from data subjects to exercise rights under GDPR.
Service Provider maintains records of its processing activities to demonstrate compliance, providing sufficient information to Customer upon written request.
7. Data Security
Service Provider implements appropriate technical and organizational measures ensuring adequate security levels and protecting personal data from unauthorized processing, accidental loss, destruction, damage, alteration, or disclosure. Security measures are described in Appendix 2.
The Service Provider may update security measures while maintaining adequate protection standards.
Upon learning of a personal data breach, Service Provider notifies Customer promptly and takes reasonable steps to mitigate harm. Notifications include: (a) breach nature description and affected groups; (b) contact information for further details; (c) probable consequences; and (d) implemented or proposed remedial actions.
Service Provider cooperates commercially reasonably in authority breach notifications and maintains breach documentation for Customer review.
8. Sub-processors
Service Provider may use sub-processors for service delivery. Information about sub-processors appears in Appendix 3 and on the website with current information.
Service Provider provides written notice of sub-processor changes at least fourteen (14) days in advance, allowing Customer adequate time to object. Customer consents to sub-processor use as described.
Service Provider ensures sub-processors maintain substantially equivalent data protection obligations and is responsible for their compliance.
9. Personal Data Transfers
The Service uses sub-processors, some located within the European Economic Area ("EEA"), where personal data remains. Some sub-processors may operate outside the EEA (per Appendix 3), which Customer accepts if the sub-processor: (i) executes transfers under applicable EU Standard Contractual Clauses (SCC); or (ii) uses other suitable mechanisms like EU-U.S. Data Privacy Framework or adequacy decisions.
10. Audits
Upon written request and at Customer's expense, Customer may audit Service Provider's DPA and GDPR compliance once per twelve (12) months. Audit reports are considered Service Provider's confidential information.
11. Data Confidentiality
Service Provider ensures personnel and entities processing data under this DPA maintain appropriate confidentiality. Confidentiality obligations otherwise follow the Terms.
12. Other Terms, Effectiveness, and Termination
Terms provisions apply otherwise, including liability and damages limitations.
This DPA becomes effective with the main Agreement and remains in force until Agreement termination or while Service Provider processes Customer data.
Unless Customer directs otherwise in writing and unless law requires retention, Service Provider deletes and destroys processed personal data within timeframes in Terms section 4.4 during which Customer can retrieve data from the Service.
Appendix 1: Processing Details
The following information describes parties, nature, purpose, duration, and data types/subject groups per GDPR Article 28.
[Full appendix content available upon request]
Appendix 2: Technical and Organizational Security Measures
Revial implements comprehensive security measures including access control, encryption, network security, logging, personnel training, backups, incident management, and sub-processor management.
[Full appendix content available upon request]
Appendix 3: Sub-processors
| Sub-processor | Description (Function) | Location |
|---|---|---|
| Supabase, Inc. | Cloud database, authentication, and storage platform. Hosts Revial's service database containing Customer's personal data (contacts, notes, transcriptions, files). | EU (Stockholm) |
| Stripe, Inc. | Payment service provider. Processes Customer's payment and billing information for secure payment transactions. | EU |
| OpenAI, L.L.C. | AI service provider (language model API). Processes text content submitted to the Service (e.g., meeting notes, message drafts) to generate AI-powered outputs (summaries, suggestions). | EU (primary) / USA (SCC-governed) |
| Skribe VOF (Skribby) | Meeting transcription service. Processes meeting audio recordings and produces text transcriptions for Customer use. | EU (Belgium) |
| Resend, Inc. | Email service provider. Processes email delivery for the Service's communication features. | USA (SCC) |
| Google LLC | Calendar integration (Google Calendar API). Enables synchronization of Customer's calendar data with the Service upon Customer authorization. | USA (SCC, EU-U.S. Data Privacy Framework) |
| Microsoft Corporation | Calendar and email integration (Microsoft Graph API). Enables synchronization of Customer's Microsoft 365 data with the Service upon Customer authorization. | USA (SCC, EU-U.S. Data Privacy Framework) |
| PostHog, Inc. | Analytics service. Collects and processes anonymized usage data to improve the Service and user experience. | EU (Frankfurt) |
| Zapier, Inc. | Integration platform. Enables Customer-configured automations and integrations with third-party services under Customer's direction and authorization. Note: Customer-directed integration. | USA (SCC) |
| Vercel, Inc. | Cloud infrastructure for Revial's application. Provides hosting for the service interface and backend functions, as well as CDN content delivery (enabling global service availability). | EU (primary) & Global CDN (EU/USA, SCC for transfers) |