Data Processing Agreement

Effective Date: October 1, 2019

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use available at Terms & Conditions (the “Terms”) and is applicable where RevvSales Inc. (“Revv”) is the Processor of Personal Data belonging to a subscriber to the Revv Services (“Customer”). In the event of a conflict between this DPA and the Terms, this DPA shall prevail.

The Customer and Revv shall also be referred to collectively as the “Parties” and individually as “Party”.

1. Definitions

Terms not specifically defined herein shall have the meaning ascribed thereto in the Terms of Use.

In this DPA, the following terms shall have the following meanings:

“GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission (Decision C(2010)593) and available at (as amended or updated from time to time).

“Controller”, “Data Subject”, “Personal Data Breach”, “Processor”, and “Supervisory Authority” shall have the meaning given to them in the GDPR.

2. Scope and Responsibilities

2.1This DPA applies to Processing of Customer’s Personal Data.

2.2Revv shall Process Personal Data only on behalf of the Customer and at all times only in accordance with this DPA, and the respective Appendix.

2.3The Parties acknowledge that with respect to Processing Personal Data, the Customer shall be deemed the Controller and Revv the Processor.

2.4Within the scope of this DPA, each Party shall be responsible for complying with its respective obligations as Controller and Processor under GDPR.

3. Term and Termination

3.1 This DPA shall continue to be in full force and effect as long as Revv is Processing Personal Data pursuant to the Terms and shall terminate automatically thereafter.

3.2 Where amendments are required to ensure compliance of this DPA or an Appendix with GDPR, the Parties shall make reasonable efforts to agree on such amendments upon request of the Customer.

4. Processing Instructions

4.1 Revv will Process Personal Data in accordance with Customer's instructions. This DPA contains Customer's initial instructions to Revv. The Parties agree that Customer may communicate any change in its initial instructions to Revv by way of amendment to this DPA.

4.2 For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA (e.g. if a new Processing purpose is introduced) will require a prior agreement between the Parties.

4.3 Revv shall, without undue delay inform the Customer in writing if, in Revv's opinion, an instruction infringes GDPR, and provide a detailed explanation of the reasons for its opinion in writing.

5. Revv Personnel

Revv will restrict its personnel from Processing Personal Data without authorization. Revv will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection, and data security.

6. Disclosure to Third Parties

Revv will not disclose Personal Data to any government agency, court, or law enforcement agency except with written consent from Customer or as necessary to comply with applicable mandatory laws. If Revv is obliged to disclose Personal Data to a law enforcement agency Revv agrees to give Customer reasonable notice of the access request prior to granting such access, to allow the Customer to seek a protective order or other appropriate remedies. If such notice is legally prohibited, Revv will take reasonable measures to protect the Personal Data from undue disclosure as if it were Revv’s own confidential information being requested and shall inform Customer promptly as soon as possible if and when such legal prohibition ceases to apply.

7. Data Subjects Rights

7.1 In case Customer receives any request or communication from Data Subjects which relates to the Processing of Personal Data ("SAR"), Revv shall reasonably provide the Customer with reasonable cooperation, information, and assistance in relation to any such SAR where instructed by Customer.

7.2 Where Revv receives a SAR, Revv shall (i) not directly respond to such Request, (ii) forward the request to Customer within ten (10) business days of identifying the Request as being related to the Customer, and (iii) provide reasonable assistance according to further instructions from Customer.

8. Subcontracting

8.1 Customer consents to Revv engaging third-party sub-processors as indicated in Appendix 1 to Process Personal Data to fulfill its obligations under the DPA provided that, Revv will provide at least fifteen (15) days’ notice to the Customer’s account administrator prior to the appointment or replacement of any sub-processor. The Customer may object to Revv’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Revv will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the access and use of Revv APIs (without prejudice to any fees incurred by Customer prior to such suspension or termination).

8.2 Where Revv, with Customer's consent, subcontracts its obligations and rights under this DPA it shall do so only by way of a binding written contract with the sub-processor which imposes essentially the same obligations according to Art. 28 GDPR especially with regard to instructions and TOMs on the sub-processor as are imposed on Revv under this DPA.

8.3 Where the sub-processor fails to fulfill its data protection obligations under the subcontracting agreement, Revv shall remain liable to Customer for the fulfillment of its obligations under this DPA and for the performance of the sub-processor 's obligations.

9. Technical and Organizational Measures

9.1 Revv shall implement and maintain appropriate technical and organizational security measures to ensure that Personal Data is Processed according to this DPA and to protect Personal Data against a Personal Data Breach ("TOMs"). Such measures shall include the measures set out in Appendix 2.

10. International Data Transfers

Revv shall at all times provide an adequate level of protection for Personal Data, wherever Processed, in accordance with the requirements of GDPR. Where Revv Processes Personal Data under this DPA that originates from the EEA (including United Kingdom) and/or Switzerland, any such processing shall be conditional on Revv complying with the Model Clauses, which are incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Model Clauses and only as between Revv and Customer, Revv agrees that it is a “data importer” and Customer is the “data exporter” under the Model Clauses (notwithstanding that Customer is located outside the EEA).

Further, Appendices 1 and 2 of this DPA will take the place of Annexes I and II of the Model Clauses respectively.

11. Assistance with Data Protection Impact Assessment

11.1Where a Data Protection Impact Assessment ("DPIA" ) is required under GDPR for the Processing of Personal Data, Revv shall provide upon request to Customer any information and assistance reasonably required for the DPIA and assistance for any communication with data protection authorities, where required, unless the requested information or assistance is not pertaining to Revv's obligations under this DPA.

11.2The Customer shall pay Revv reasonable charges for providing the assistance in clause 11, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the services.

12. Information Rights and Audit

12.1 Revv shall, in accordance with GDPR, make available to Customer on request in a timely manner such information as is necessary to demonstrate compliance by Revv with its obligations under this DPA.

12.2 Revv will immediately refer to Customer any requests received from national data protection authorities that relate to Revv’s Processing of Personal Data.

12.3 Revv undertakes to cooperate with Customer in its dealings with national data protection authorities and with any audit requests received from national data protection authorities.

13. Personal Data Breach Notification

In respect of any Personal Data Breach (actual or reasonably suspected), Revv shall:

13.1 notify Customer of a Personal Data Breach involving Revv or a sub-processor without undue delay and it shall be the responsibility of the Customer to inform the Supervisory Authority of such breach within 72 hours of notice by Revv;

13.2 provide reasonable information, cooperation, and assistance to the Customer in relation to any action to be taken in response to a Personal Data Breach under GDPR, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.

14. Deletion or Return of Personal Data

Upon termination or expiry of this engagement, Revv shall delete all Customer Content, including Personal Data within 90 days of effective termination of the Customer’s account. Within such retention period, Customer may request export of the Customer Data by writing to Revv. This requirement shall not apply to the extent that Revv is required by applicable law to retain some or all of the Personal Data, in which event Revv shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

15. Miscellaneous

15.1 In case of any conflict, the provisions of this DPA shall take precedence over the provisions of any other agreement with Revv.

15.2 No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out herein or in another agreement.

15.3 Where this DPA requires a “written notice” such notice can also be communicated per email to the other Party. Notices shall be sent to the contact persons set out in Appendix 1.

15.4 Any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.

15.5 Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.

The following Appendices forms an integral part of this DPA:

APPENDIX 1

DETAILS OF THE PROCESSING OF PERSONAL DATA