Revial data processing agreement
1. Background
This Data Processing Agreement ("DPA") is incorporated by reference into the Terms and constitutes an integral and integral part of the Agreement between Revial (the Service Provider) and the Customer. This TOS sets out the terms and conditions under which the Service Provider processes Personal Data on behalf of the Customer under the Agreement.
2. Scope of application
To the extent that the Customer enters personal data into the Services or otherwise processes it in connection with the provision of the Service, the Parties acknowledge that the Customer is the controller and the Service Provider is the processor, processing the personal data on behalf of the Customer for the purpose of providing the Services.
In the event of any conflict between this TOS and any other Agreement, this TOS shall prevail.
3. Definitions
Unless otherwise defined in this TOS or the Agreement, terms used in this TOS, such as "controller", "processor", "data subject" and "personal data", have the same meaning as in the General Data Protection Regulation (EU) 2016/679 and other applicable data protection provisions.
4. Processing of personal data
The purpose of processing personal data under this TKS is to provide the Services to the Customer. The processing of personal data in this context refers to the storage, maintenance and processing operations necessary for the Service. The processing, categories of data subjects and types of personal data processed are set out in Annex 1 (Processing Details).
Personal Data may be processed for as long as the Services are provided under the Agreement and thereafter if required by applicable law or the contractual obligations or rights of either Party.
5. Customer instructions and responsibilities
The Service Provider will process personal data in accordance with the Customer's written instructions set out in this TOS. The parties agree that this TOS constitutes the Customer's complete written instructions to the Service Provider in the Customer's capacity as Data Controller. Additional instructions are subject to a separate written agreement between the Parties.
You are responsible for ensuring that the processing of your personal data in connection with the Service complies with applicable data protection legislation.
6. General obligations of the service provider
The Service Provider shall assist the Customer, upon the Customer's written request and at the Customer's sole expense, in responding to requests from data subjects or supervisory authorities or in other matters where the processor is required to assist the controller under the GDPR. Unless another pricing basis is agreed, the Service Provider shall be entitled to charge for such assistance in accordance with its then current staff rates.
The Service Provider will inform the Customer as soon as possible after receiving a request from the Data Subject to exercise his/her rights under the GDPR.
The Service Provider will maintain a record of the processing activities for which it is responsible in order to ensure its compliance as a data processor with the GDPR. Upon written request by the Customer, the Service Provider shall provide the Customer with sufficient information to the extent necessary to demonstrate the Service Provider's compliance with its obligations under this TOS and the Data Protection Regulation.
7. Information security
The Service Provider shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security of personal data and to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration or disclosure for the purposes of the Services. The security of the Service is described in Annex 2: Revial's technical and organisational security measures. The Service Provider shall have the right to develop and modify the security measures of the Service in its sole discretion and in accordance with evolving technology, provided that the security of the Service is not materially degraded. An up-to-date description of the security measures is available to the Customer on request and/or on the Service Provider's website.
In the event of a personal data breach, the Service Provider will notify the Customer without undue delay after becoming aware of the breach and will take reasonable steps to mitigate the damage caused by the breach. The notification shall contain such information as the Service Provider may reasonably provide to the Customer, including the following:
(a) a description of the nature of the personal data breach, including, where possible, the categories of data subjects and the personal data concerned;
(b) the name and contact details of the contact point for further information;
(c) a description of the likely consequences of the personal data breach; and
(d) a description of the measures taken or proposed to remedy the personal data breach.
The information may be provided in stages if it is not possible to provide all the information at the same time.
The Service Provider will cooperate and assist the Customer to a commercially reasonable extent upon the Customer's written request and in the notification of personal data breaches to the supervisory authority as required by the GDPR. The Service Provider shall document the personal data breaches and keep the documentation available to the Customer upon written request.
8. Sub-reporters
The Service Provider has the right to use sub-providers to provide the Service. The Service Provider provides information about its sub-providers in Annex 3 (Sub-providers) and on its website, where up-to-date information about sub-providers is always available. The Service Provider shall notify the Customer in writing (including by e-mail) of any future changes to the Sub-providers at least fourteen (14) days in advance to allow the Customer sufficient time to object to the change. The Customer consents to the Service Provider's use of the Subrepresentatives as described in this section.
The Service Provider is responsible for ensuring that its sub-processors are subject to substantially equivalent data protection obligations to those described in this TOS. The Service Provider is responsible for its Sub-processors and their compliance with the obligations of this TOS.
9. Transfers of personal data
The Service uses sub-processors, some of which are located and process personal data within the European Economic Area ("EEA"), and for these sub-processors, the personal data is stored within the EEA. As described in Annex 3 (Sub-processors), some of the Sub-processors may also be located outside the EEA, which the Customer accepts, provided that the Sub-processor (i) carries out the international transfer of personal data in accordance with the applicable EU standard contractual clauses (SCCs) or; (ii) the transfer of personal data is carried out using another safeguard under applicable data protection regulation, such as the EU-US Privacy Shield Framework or an adequacy decision.
10. Audits
Upon written request by the Customer and at the Customer's sole expense, the Customer shall have the right to audit the Service Provider's compliance with its obligations under the Data Protection Regulation and this TOS once every twelve (12) months. The audit report and related information shall be considered as confidential information of the Service Provider.
11. Confidentiality of information
The Service Provider is responsible for ensuring that persons and entities processing personal data under this TKS are bound by an appropriate confidentiality obligation. In all other respects, confidentiality and secrecy shall be as agreed in the TOS.
12. Other terms, validity and termination
In all other respects, the contractual provisions of the Conditions (including, for the sake of clarity, the conditions concerning liability and limitations of liability for damages) shall apply to this TKS.
This TOS shall enter into force simultaneously with the rest of the Agreement and shall remain in force until the Agreement expires or for as long as the Service Provider processes personal data on behalf of the Customer.
Unless otherwise instructed by the Customer in writing and unless the retention of personal data is necessary under applicable law, the Service Provider shall delete and destroy the personal data processed on the basis of the TKS at the latest within the time limits set out in clause 4.4 of the Terms, during which the Customer may retrieve the data, including the personal data contained therein, from the Service.
Annex 1: Processing details
The following information complements this DPA and describes the parties to the processing, the nature, purpose, duration, types of personal data and categories of data subjects in accordance with the requirements of Article 28 of the GDPR.
Controller: the Customer (the customer organisation as defined in Revial's main contract). Address: the Customer's legal address (as specified in the main agreement). Contact person: the Customer's representative (e.g. signatory or data protection officer).
Role: Controller - The Customer uses the Revial Service to process personal data for its own purposes (sales and customer relations) and determines the purposes and means of the processing.
Personal data processor: Spinder Company Oy (business ID 3128583-8, Finnish limited liability company). Address: c/o Second Office, Kempeleentie 7, 90400 Oulu, Finland. Contact person: Revial's Data Protection Officer or contact person (support@revial.com).
Role: Personal Data Processor - Revial provides a cloud-based sales software service (including artificial intelligence features) and processes Customer's personal data on Customer's behalf to provide the Service in accordance with the terms of the Main Agreement.
Nature and purpose of the processing: the processing of personal data is necessary for Revial to provide the Customer with the functionalities of the Service. The processing includes, inter alia, the storage of data in Revial's cloud-based system (customer data and notes in a CRM-like manner), the organisation and retrieval of data, the generation of AI-based analyses and summaries of the content entered by the Customer (e.g. automatic summarisation of meeting notes or generation of draft emails), and communication features (e.g. email integration, reminders). The processing is mainly automated and is the result of actions taken by the Customer in the Service. Revial processes data only to the extent required for the provision and technical maintenance of the Service.
The purpose of the processing is to enable the Customer to improve the efficiency of its sales processes: the Customer can store and manage sales leads, customer data and contacts, track sales conversations, and use AI-generated analyses and suggestions as part of its sales efforts.
Subject matter and duration of processing: the subject matter of the processing is personal data provided by or collected on behalf of the Customer in connection with the Customer's sales and customer relationship activities. The processing starts when the Customer first uploads personal data to the Revial Service and continues throughout the duration of the main contract. The processing of Personal Data will cease when the Main Agreement expires and all of the Customer's Personal Data has been returned or removed from the Revial environment in accordance with this DPA. Typically, the processing will be continuous for the duration of the contract (personal data will be added, edited, analysed and deleted by the Customer on a regular basis in connection with the use of the Service).
Types of personal data: the main categories of personal data processed by the Service are:
Contact information: names of persons, job titles, name of employer or organisation, work or business email addresses, telephone numbers, postal addresses and other similar contact information (e.g. contact details of Customer's sales affiliates and customers, professional contact details of Customer's employees).
Communication content: the content of conversations and messages related to sales and customer contacts. This may include meeting notes, meeting and call recordings and transcripts, email messages and chains, chat or messaging platform discussions, quotations and draft contracts, and other documents containing people's comments, opinions, scheduling information, etc.
Event and follow-up data: information on actions and interactions in the sales process. For example, records of meeting times and attendees, quotes sent, times of calls or presentations, and related results (e.g. "quote accepted/rejected", "follow-up call scheduled for date X"). This information may include the name of the person and other information as part of the records.
User and log data: basic information related to the accounts of the Customer's authorized users (e.g. employees) on the Service, such as name, username, email address, as well as log data collected from the use of the Service, such as login times, key actions performed by the user (e.g. adding or editing data), IP address of the user's device and other technical event data. This information may be considered personal data when it relates to an identifiable person (the Customer user).
Specific categories of personal data (e.g. racial/ethnic origin, political opinions, religious beliefs, health or biometric data, criminal records) are not intended or permitted to be processed on the Service.
Categories of data subjects: the following categories of data subjects may be concerned by the personal data processed by the Customer in the Service:
Customer's own personnel: employees, agents or other users of the Service whose personal data (mainly professional contact details and user account details) are processed in connection with the use of the Service (e.g. sales staff or team members whose activities are recorded in the system and whose contact details may appear in meeting invitations or communications).
Customer's customers and leads: natural persons (sole traders, business customer contacts, consumer customers) who are the subject of the Customer's sales or marketing activities and whose data are stored by the Customer in the system. This category includes, for example, potential customers ("leads"), existing customers, contacts of business partners and other business contacts. Their data may include contact information and communication content, as described above.
Third party representatives: other persons who may appear in the data stored by the Customer. For example, if a representative of another company or a recommender attends a sales meeting with the Customer, their name and speech may be included in the meeting note or transcript. Similarly, if the Customer enters the details of an end-customer contact person as part of the sales process, that person will be registered with the Service.
Duration and termination of processing: the processing of personal data continues throughout the contractual relationship. The duration of the data retention period will remain unchanged for the duration of the contractual relationship. Revial will comply with the Customer's instructions regarding the deletion of data during the contractual period. At the end of the contract, the personal data will either be returned to the Customer or permanently deleted, as agreed in clause 12 of the DPA.
Annex 2: Technical and organisational security measures for Revial
Revial has implemented the following key technical and organisational measures to protect personal data against unauthorised or unlawful processing, loss, destruction or damage. These measures have been designed taking into account the state of the art of the processing, the cost of implementation, the nature, scope and purposes of the processing and the risks to personal data.
Access control: access to the Customer's personal data is limited to authorised persons who have a necessary need to process the data for their work. Revial uses role-based access rights: employees and system processes are granted only minimum rights ("need-to-know" and "least privilege" principles). Strong authentication is required to log into the system; at a minimum, a username and password are required for service management interfaces, and additional multi-factor authentication (MFA) for critical systems where possible. Default passwords will be changed during the deployment phase. Access rights are regularly reviewed, and when an employee's role changes or employment ends, his or her access to personal data is removed or blocked without delay. All persons with access rights must agree to confidentiality (as described in section 11).
Encryption: Revial protects personal data with strong encryption methods both during transmission and at rest. All network traffic between the user's browser (or other client application) and Revial's server is encrypted using TLS (Transport Layer Security) protocol (version 1.2 or higher), which prevents unauthorized interception of data in transit. Data on servers and databases is encrypted at rest using a strong encryption algorithm (e.g. AES-256). Encryption keys are securely managed (using cloud provider key management services or equivalent mechanisms) and access to the keys is restricted to a few authorised persons. Backups and removable media containing personal data are also encrypted to ensure that data is protected under all circumstances.
Network and application security: Revial's cloud infrastructure uses firewalls and network segmentation to protect personal and customer data. Only essential services and ports are open to the Internet; otherwise, access to internal databases and services is limited to Revial's internal network or VPN connections. Revial uses service providers to manage routing and content distribution, including DDoS protection. At the application layer, Revial has implemented mechanisms to prevent common malicious events (e.g. restrict suspiciously frequent activities such as bruteforce login attempts). Revial continuously updates its software components against known vulnerabilities: critical security updates are installed promptly, within a few business days of release at the latest. Revial's code and infrastructure are regularly scanned for vulnerabilities using automated tools. In addition, Revial periodically commissions external experts to perform penetration tests on its systems; the results of these tests are reviewed and any weaknesses identified are remediated without delay.
Logging and monitoring: Revial monitors its systems to detect security threats and errors. Comprehensive log collection is maintained for key systems, including user logins, relevant operations (e.g. adding, editing and deleting records), system error messages and server resource usage. These logs are protected against unauthorised editing and are kept for a specified period of time. Revial has automatic alerts in place - for example, repeated failed logins, unusually large database queries or spikes in server performance are reported to the maintenance team. The Revial team monitors log data and alerts on a regular basis. Any anomalies (e.g. unauthenticated login attempts or unusual searches on data) are investigated immediately. Logs are also used for forensics in the event of a security breach.
Staff training and reliability: data security and data protection are part of Revial's corporate culture. New employees are familiarised with Revial's information security and data protection policies, and all staff are trained at least annually, covering GDPR principles, good security practices (e.g. phishing attack detection) and internal company guidelines on the processing of personal data. Employees in critical roles may be subject to background checks at the recruitment stage, to the extent permitted by applicable law. All Revial employees have signed non-disclosure agreements and have agreed to comply with the company's data security and privacy policies. Revial has defined internal disciplinary measures in the event of any breach of data protection or security obligations by an employee.
Backups and continuity: Revial ensures the availability and integrity of personal data by maintaining regular backups. Databases containing personal data are backed up daily (or more frequently if business continuity requires it). Backups are kept encrypted in a separate storage location (e.g. in a different service provider's storage or in a different region) protected against physical and logical threats. Revial has defined target times for data recovery: in critical cases, the Recovery Time Objective (RTO) is typically 24-48 hours and the Recovery Point Objective (RPO) is 24 hours or less (i.e. backup frequency is such that up to 24 hours of data can be lost in a worst case scenario). Backup recovery is regularly tested to ensure that data can be read and restored as expected in the event of a real disaster. Revial has a disaster recovery plan: in the event of a serious failure of the primary server infrastructure, Revial can restart its service in a backup environment (possibly in another data centre or in the cloud) as quickly as possible.
Incident management: Revial has a written incident management plan. It defines measures and responsibilities in case of suspected or detected security breaches (including communication plan, escalation path and cooperation with authorities). Revial staff are trained to identify and report security breaches internally and immediately. When a potential personal data breach is detected, Revial's designated incident team launches an investigation: isolating the affected systems (temporarily taking them down if necessary), identifying the cause and extent of the breach, and taking corrective action. Revial will document each step and conduct a post-event review after the incident to learn from what happened. Revial will notify Customer of any personal data breaches in accordance with the DPA and will assist Customer with any regulatory or registrant notifications.
Sub-processor management: Revial ensures that the sub-processors it uses (see Annex 3) apply security measures at least as stringent as those applied by Revial itself. Before introducing a new sub-processor, Revial will assess the security practices and certifications of the supplier (e.g. ISO 27001 certification, SOC2 report) and contractually ensure the sub-processor's commitment to data protection obligations. Revial requires its sub-processors to respect confidentiality, provide adequate staff training, ensure technical security and report security breaches to Revial without delay. Revial monitors the level of security of its main sub-processors, for example by regularly requesting their audit reports or notifications of security incidents. In the event of any deficiencies detected in the sub-processor's performance, Revial will take action (e.g. require remediation or change the service provider if necessary).
Annex 3: Sub-reporters
Listed below are the sub-processors (sub-contractors) used by Revial to process Customer's personal data as part of the provision of the Services. For each sub-processor, the service/role it provides and the primary location where the personal data is processed are described. Where the location is outside the EU/EEA, the transfer basis used (e.g. SCC) is indicated.
| Spokesperson | Description (task) | Location |
|---|---|---|
| Supabase, Inc. | Cloud database and authentication platform. Hosted by the Revial service the database where the Customer's personal data is stored (e.g. contacts, notes, transcripts). | EU (Frankfurt) |
| Vercel, Inc. | Cloud infrastructure for the Revial application. Provides the service hosting of the service interface and backend functions, and CDN content distribution (enabling global availability of the application). | EU (primary) & global CDN(EU/US, SCC enabled) for transfers, no personal data transferred) |
| OpenAI, L.L.C. | An AI (language model API) service provider. Handles the Customer (e.g. meeting notes, transcripts, message inbox) to produce AI-based results (summary, suggestions) in the Revial Service. | EU (priority) / USA(SCC) |
Revial maintains an up-to-date list of the sub-processors it uses. If Revial adds, changes or removes sub-processors, it will inform the Customer in advance in accordance with clause 8. The Customer may also request further information about the security measures or privacy practices of individual sub-processors and Revial will provide such information as is reasonably requested (subject to confidentiality).