Last updated: April 1, 2024
THIS DATA PROCESSING ADDENDUM (“DPA”) is the DPA referred to and incorporated by those Terms and Conditions (the “Agreement”) between the Parties respecting the RevTap products and services. This DPA reflects the Parties’ agreement regarding the Processing of Personal Data, in accordance with the requirements of Applicable Data Privacy Law and shall be incorporated into and form part of the Agreement. This DPA will terminate in accordance with the termination provisions of the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail. All Agreement terms and conditions not in conflict with those found herein are as provided for in the Agreement, and all capitalized terms not defined herein are as defined in the Agreement.
1. Definitions. The following definitions and rules of interpretation apply in this Agreement:
(a) “Applicable Data Privacy Law” means all applicable United States federal, state and local laws and regulations pertaining to the Processing of Personal Data under or in connection with the Agreement, which are currently in effect and as they become effective or amended, including but not limited to the California Consumer Privacy Act (“CCPA”), Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, and Utah Consumer Privacy Act.
(b) “Controller” means any person or entity that determines the purposes and means of Processing Personal Data, and on whose behalf, RevTap, in its capacity as a Processor or Subprocessor, as well as any contractors who may be engaged by RevTap, act in relation to the Processing of Personal Data. The Controller, for purposes of this DPA, may be the Client, a Client customer, or a Client customer’s end user. A Controller may also sometimes be a “Business” as such term is defined under the CCPA.
(c) ”Data Subject” means the persons or categories of persons whose Personal Data is provided, made accessible to RevTap, or collected by RevTap for the purpose of performing the Services for Client, and includes the categories of data subjects described in Exhibit A to this DPA.
(d) “Personal Data” shall include “personal data,” “personal information,” or an equivalent term used by Applicable Data Privacy Law to the extent such data or information is accessed, collected, stored, transmitted, processed, hosted, used, handled, or disposed of by RevTap in connection with the Agreement. This includes both Personal Data which belongs to Client, as well as Personal Data that belongs to and/or is provided by a Client’s customer, and/or such Client customer’s end user(s), and Sensitive Personal Data as defined in this DPA.
(e) “Personal Data Breach” means any actual or reasonably suspected breach of security that has resulted or is reasonably likely to result in the accidental, unlawful or unauthorized acquisition, modification, destruction, loss, alteration, encryption, disclosure, Processing of, or access to, Personal Data.
(f) “Personnel” shall mean a person or entity’s employees, agents, consultants or contractors.
(g) “Processing” means any operation or set of operations which is performed upon Personal Data by or on behalf of Client or Client’s own customers and/or their end users in connection with the Agreement, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(h) “Processor” or “Subprocessor” means any entity which Processes Personal Data on behalf of a Controller, either directly or indirectly as a subcontractor. This definition also incorporates all elements of the CCPA definition of “Service Provider.” Client may be a Processor for a Controller, in which case RevTap shall be serving as Subprocessor, or RevTap may be the direct Processor to Client as Controller, depending on the circumstances. In either case, RevTap shall only ever be considered a Processor (or Service Provider) under Applicable Data Privacy Law, and shall never be considered nor have any of the legal obligations of a Controller (or Business).
(i) “Processing Instructions” means the written instructions provided by Client to RevTap stating how the Personal Data shall be Processed and may include specifications regarding Data Subjects, Personal Data type and category.
(j) “Sensitive Personal Data” means Personal Data that reveals a Data Subject’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password or credentials allowing access to an account; a precise geolocations; racial or ethnic origin, religious or philosophical beliefs, or union membership; and the contents of mail, email, and text messages unless the Controller is intended recipient of the communication; or processing biometric data for the purpose of identifying the Data Subject and Personal Data collected and analyzed concerning health status; sex life or sexual orientation.
(k) “RevTap Subcontractor” means a subcontractor of RevTap engaged pursuant to the terms of this DPA.
(l) “Commercial Purpose,” “Sell,” and “Share”, when capitalized, shall have the respective meanings given thereto in the CCPA/CPRA as amended.
2. Client Obligations
Client shall:
(a) Ensure that only lawfully collected Personal Data is provided to or made accessible for Processing by RevTap, including by ensuring Client or the applicable Controller of such Personal Data has: (i) implemented appropriate notices regarding its collection and Processing of Personal Data; (ii) collected the Personal Data from Data Subjects after obtaining any legally required consents for the Processing of such Personal Data (including Processing that permits the sharing of Personal Data with RevTap for the purposes set forth in any applicable SOW); and (iii) conducted relevant data protection assessments to the extent required by Applicable Data Privacy Law.
(b) Provide RevTap with Processing Instructions detailing the nature and purpose of the Processing required to accomplish the Services, as applicable to the Personal Data and in conformance with Processing Instructions provided by the applicable Controller, in a manner that complies with Applicable Data Privacy Law;
(c) Ensure that it has enforceable arrangements in place with any applicable third parties from where any such Personal Data was received adequate for the lawful Processing of the Personal Data by RevTap in accordance with the Processing Instructions;
(d) Provide RevTap with prompt notice of (i) any Controller or Processor directives, instructions, or requests regarding Personal Data disclosed under this DPA; and (ii) verifiable requests from Data Subjects to delete their Personal Data;
(e) Not provide or make accessible to RevTap any Personal Data of Data Subjects residing in the European Union without first (i) notifying RevTap in writing; and (ii) executing a mutually agreeable Data Processing Addendum with RevTap that provides for additional compliance with GDPR specific regulations (separate from this DPA). The obligations of this Section 2 shall survive any termination of the Agreement.
3. RevTap Obligations:
(a) RevTap shall not: (i) Sell or Share any Personal Data; (ii) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services under and in accordance with the Agreement and this DPA, including retaining, using, or disclosing Personal Data for a Commercial Purpose other than the provision of the Services; or (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between RevTap and Client.
(b) RevTap will Process Personal Data in accordance with the Processing Instructions, including any specific instructions regarding Sensitive Personal Data.
(c) RevTap will not collect, use, retain, disclose, Sell, Share, Process, or otherwise make Personal Data available for RevTap’s own Commercial Purposes or in a way that does not comply with Applicable Data Privacy Law. If RevTap is legally required to disclose Personal Data for a purpose unrelated to the Services, RevTap must first inform Client of the legal requirement and give Client an opportunity to object or challenge the requirement, unless such notice is legally prohibited.
(d) RevTap will limit Personal Data collection, use, retention, Processing and disclosure to activities to those reasonably necessary and proportionate to achieve the Commercial Purpose of the Services or another compatible operational purpose.
(e) RevTap will cooperate with any request or instruction from Client or the Controller to provide, amend, transfer, return, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized Processing, to the extent required by Applicable Data Privacy Law. For clarity, and without limitation, RevTap shall not be required to comply with a deletion request submitted by a Data Subject directly to RevTap to the extent RevTap has collected, used, processed, or retained the Personal Data of the Data Subject solely its role as a Service Provider/Processor.
(f) If the Services require the collection of Personal Data from individuals on the Controller’s behalf, RevTap will provide a notice compliant with Applicable Data Privacy Law at collection as mutually agreed between RevTap and Client. The agreed upon language of such notice shall be included in the Processing Instructions. RevTap will not modify or alter the agreed upon notice without Client’s prior written consent.
(g) If Applicable Data Privacy Law permits, RevTap may aggregate, deidentify, or anonymize Personal Data so it no longer meets the Personal Data definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes that do not violate this DPA or Applicable Data Privacy Law. RevTap will not attempt to or actually re-identify data that is already aggregated, deidentified, or anonymized and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.
(h) RevTap will not combine Personal Data it Processes pursuant to this DPA with other Personal Data RevTap receives from, or on behalf of, another person or persons or collects from its own separate interaction with Data Subjects.
(i) RevTap shall promptly notify Client if RevTap determines it is no longer able to meet its obligations under Applicable Data Privacy Law and shall, upon notice, allow the Client or Controller to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
(j) Taking into account the nature of RevTap’s Processing and the Personal Data available to RevTap (including whether or not such Personal Data is within RevTap or a RevTap Subcontractor’s control), RevTap will reasonably cooperate and assist Client to comply with a Controller’s requests and directions related to Personal Data disclosed, the Controller’s Applicable Data Privacy Law compliance obligations, and responses to Applicable Data Privacy Law inquiries, including responding to verifiable Data Subject requests. Notwithstanding anything to the contrary in this DPA, should RevTap receive a Data Subject request directly from a Data Subject or its authorized agent as to Personal Data collected solely in its role as a Service Provider/Processor, RevTap may inform the Data Subject that its request cannot be acted upon because the request was sent to a Service Provider.
(k) RevTap will provide necessary information to enable Client or other applicable Controller to conduct and document data protection assessments as required by Applicable Data Privacy Law.
(l) RevTap will notify any downstream recipients of Personal Data who have accessed such Personal Data from or through RevTap of a verifiable Data Subject request for deletion, unless such Personal Data was accessed at the direction of the Controller, or doing so proves impossible or involves disproportionate effort.
(m) Without obligating RevTap to proactively investigate Processing Instructions, and to the extent required by Applicable Data Privacy Law, RevTap will inform Client if it becomes aware that Processing Instructions violate Applicable Data Privacy Law.
(n) RevTap will notify Client if it receives a complaint, notice, or communication that directly or indirectly relates to either Party’s compliance with Applicable Data Privacy Law.
Notwithstanding anything herein to the contrary, RevTap shall never be required to: (1) reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; (2) retain any Personal Data if, in the ordinary course of business, it would not be retained; (3) maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable Data Subject request with Personal Data; or (4) assist Client or other applicable Controller after termination of the Agreement and any applicable return or deletion of Personal Data by RevTap, unless required by Applicable Data Privacy Law.
4. Audits and Inspections
During the Term:
(a) RevTap shall provide information and assistance reasonably requested by Client or the applicable Controller to demonstrate its and/or a Client client’s, and/or Client client end user’s compliance, as applicable, with this DPA and Applicable Data Privacy Law.
(b) RevTap shall allow for and contribute to audits by Client, any applicable Controller, or an independent third party auditor mutually agreed to by all parties in relation to RevTap’s Processing of Personal Data, compliance with the obligations under this DPA and/or Applicable Data Privacy Law. Such audits may require RevTap to complete questionnaires and/or make certain relevant available documentation for review, or to grant access to relevant RevTap and/or RevTap Contractor Personnel for interviews.
(c) Audits shall be conducted no more than once every twelve (12) months for no more than one (1) business day, and RevTap shall be provided with thirty (30) days advanced written notice of any audit or inspection to be conducted under this Section, unless (i) such an audit needs to be conducted on an emergency basis where Client or Controller can demonstrate genuine concerns about material non-compliance with this DPA and/or Applicable Data Privacy Law, or (ii) Client or any Controller is required to carry out an audit under Applicable Data Privacy Law.
(d) If it is established during an audit, inspection, or report that RevTap has failed to comply with its obligations under this DPA or Applicable Data Privacy Law, Client shall notify RevTap and RevTap shall take reasonable measures necessary to ensure its compliance as soon as reasonably practicable.
(e) RevTap may procure an annual audit by an independent third party to verify that RevTap has implemented and maintains controls, safeguards, information security program and other requirements described in this DPA and may provide Client with the results of such audit upon request in lieu of the other audit obligations of this Section 4(a) – 4(d). If such audit reveals one or more material vulnerabilities, RevTap will correct each such vulnerability at its own cost and expense and certify in writing that it has done so.
5. Security and Other Supplementary Measures During the Term:
(a) RevTap shall implement and maintain reasonably appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, damage, or unauthorized disclosure or access.
(b) RevTap agrees not to allow, unless required by law, regulations, order of a court or any regulatory, judicial, governmental or similar body or authorized by Client, access to Personal Data (excluding any publicly available data) by any administrative body, authority or agency. Before RevTap discloses any such Personal Data, RevTap shall (to the extent permitted by law) inform Client of the circumstances of the required disclosure and the Personal Data that must be disclosed. Client agrees to reasonably and promptly work with RevTap to determine the legal requirements for disclosure.
(c) RevTap represents and warrants that it has not purposefully created “backdoors” or other similar programming that could permit access, including access by any governmental authority, law enforcement agency, or public body, to systems that store or otherwise Process Personal Data.
(d) Personal Data will be restricted to only those RevTap Personnel with a need to know such information in connection with RevTap’s Services under the Agreement.
(e) RevTap will not commingle or combine Personal Data with any other information other than for the purpose of fulfilling RevTap’s obligations under this Agreement.
(f) RevTap will notify Client of a Personal Data Breach as soon as reasonably practicable.
(g) Notwithstanding anything to the contrary in this DPA, RevTap may always use Personal Data to detect data security incidents or protect against fraudulent or illegal activity.
6. Subcontracting by RevTap:
(a) RevTap may engage RevTap Subcontractors who will have access to Personal Data so long as (i) they are engaged pursuant to a written contract that requires compliance with Applicable Data Privacy Law and that contains terms that are at least as protective as the requirements of this DPA; and (ii) Client is notified of their engagement and has an opportunity to object.
(b) Notifications to Client regarding the use of RevTap Subcontractors shall include (i) name, address, and contact information, (ii) Type of services provided, (iii) Personal Data categories to be disclosed. Client acknowledges notification of the RevTap Subcontractor list contained in Exhibit A hereto, and consents to their utilization by RevTap.
(c) Client may request RevTap provide the information enumerated in subsection 6(b) above for any RevTap Subcontractors in the preceding 12-months.
(d) RevTap remains liable to the Client to the same extent provided for in the Agreement for a RevTap Contractor’s acts, errors, and omissions as if they were RevTap’s own acts, errors or omissions.
(e) Upon Client or a Controller’s written request, RevTap will audit a RevTap Contractor’s compliance with its Personal Data obligations and provide the Client or Controller with the audit results.
7. Affiliates. The Parties have entered into this DPA each for itself and on behalf of, and for the benefit of, any current or future Affiliates. The Parties acknowledge and agree that all references to a Party herein shall, where the context permits and requires, refer to each such Party’s Affiliate(s). The Parties expressly agree that Affiliate(s) will have the right to enforce the provisions of this DPA.
8. Representations and Warranties; Modifications for Compliance with Applicable Data Privacy Law. RevTap represents and warrants that it understands the restrictions and prohibitions on selling Personal Data, and retaining, using, or disclosing Personal Data outside of the Parties’ direct business relationship, both as found in this DPA and Applicable Data Privacy Law, and it will comply with them. Both Parties represent and warrant that they have no reason to believe any Applicable Data Privacy Law requirements or restrictions prevent the lawful Processing of Personal Data under the Agreement and this DPA, as such Processing is described herein and any SOW. The Parties agree to promptly notify each other regarding changes to Applicable Data Privacy Law requirements that may impact this DPA and thereafter endeavor in good faith to amend the DPA in order to achieve legal compliance.
IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their duly authorized officers or representatives.