Legal
Data Processing Addendum
This DPA sets out the processor terms that apply when RevSight processes personal data on behalf of a business customer under applicable data protection law.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between RevSight and the Customer and applies where RevSight processes personal data on the Customer’s behalf in connection with the service. Where there is a conflict on data protection, this DPA controls.
These terms are between you and RevSight ("RevSight", "we", "us", or "our"), the operator of the RevSight service.
1. Definitions
“Controller”, “Processor”, “Personal Data”, “Processing”, and “Data Subject” have the meanings given under applicable data protection law (including the GDPR and UK GDPR), and “business”, “service provider”, and “sell/share” have the meanings given under the CCPA/CPRA. A “Sub-processor” is a processor engaged by RevSight to process Personal Data.
2. Roles and scope
For Personal Data in the Customer’s connected accounts, the Customer is the controller (business) and RevSight is the processor (service provider). RevSight will process such Personal Data only on the Customer’s documented instructions (including as set out in the Terms and this DPA) and as needed to provide the service, unless required to act otherwise by law (in which case it will inform the Customer where permitted).
3. Details of processing
See Annex A below.
4. Confidentiality of personnel
RevSight ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and access it only as needed to provide the service.
5. Security measures
RevSight maintains appropriate technical and organizational measures to protect Personal Data, described in Annex B below, taking into account the state of the art and the risks of the processing.
6. Sub-processors
The Customer gives general authorization for RevSight to engage Sub-processors to provide the service. The current list is maintained on our Subprocessors page. RevSight will impose data-protection obligations on each Sub-processor that are substantially the same as those in this DPA, and will give notice of new or replacement Sub-processors (via that page or by email) so the Customer can object on reasonable data-protection grounds.
7. Data subject requests
Taking into account the nature of the processing, RevSight will provide reasonable assistance to help the Customer respond to requests from Data Subjects exercising their rights. If RevSight receives such a request directly, it will refer it to the Customer.
8. Personal data breach
RevSight will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s Personal Data, and will provide information reasonably available to help the Customer meet its own notification obligations.
9. Audit
RevSight will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, subject to confidentiality and reasonable limits on frequency, scope, and disruption. Where available, summary reports or certifications may be provided to satisfy audit requests.
10. Deletion or return of data
On termination of the service, RevSight will delete or, if requested, return the Customer’s Personal Data, except where retention is required by law.
11. International transfers
Where RevSight transfers Personal Data internationally, it will use an appropriate transfer mechanism, including the Standard Contractual Clauses, the UK International Data Transfer Addendum, or the EU-U.S. / UK / Swiss Data Privacy Framework, as applicable.
12. CCPA service-provider terms
Where the CCPA/CPRA applies, RevSight acts as a service provider and will not sell or share the Customer’s Personal Data, will not retain, use, or disclose it for any purpose other than providing the service (or as otherwise permitted by the CCPA), and will not combine it with data from other sources except as permitted. RevSight certifies that it understands and will comply with these restrictions.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
14. How to execute
These terms apply automatically to Customers that act as controllers when they use the service; no signature is required for them to take effect. If you require a counter-signed copy, contact team@revsight.io.
Annex A: Details of processing
- Subject-matter: RevSight’s processing of Personal Data to provide the read-only billing-intelligence service.
- Duration: for the term of the service, until deletion or return.
- Nature and purpose: resolving and displaying billing information on CRM records and generating AI summaries and answers, on the Customer’s instructions.
- Categories of data subjects: the Customer’s end-customers and contacts.
- Categories of Personal Data: identifiers (such as names and email addresses), billing data (subscriptions, invoices, payment status), and usage data.
Annex B: Security measures
- Encryption of data in transit and at rest.
- Encryption of stored provider credentials.
- Read-only, least-privilege access to connected billing providers.
- Access controls and authentication for the service.
- Logging and monitoring of relevant operational events.