Data Processing Agreement
This Data Processing Agreement (“DPA”) between Rever Finance Inc, a corporation (“Rever,” “Processor”) and the entity identified as Customer (“Customer,” “Controller”), and governs Rever's processing of Personal Data on behalf of Customer in connection with the cloud-hosted Service.
Capitalized terms not defined in this DPA have the meanings given in the Terms.
These Terms govern your access to and use of Rever's cloud-hosted, self-hosted, and air-gapped work management platform, including our websites, APIs, mobile applications, and related services (collectively, the “Service”). By accessing or using the Service, clicking “I Agree,” or executing an Order Form that references these Terms, you agree to be bound by these Terms. If you do not agree, do not use the Service.
1. Definitions
“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR and any other applicable privacy or data protection legislation.
“Authorized User” means an individual who is permitted by Customer to access and use the Service under Customer's account, including Customer's employees, contractors, and agents.
“Controller” means the entity that determines the purposes and means of processing Personal Data. Under this DPA, Customer is the Controller.
“Customer Data” means any data, content, files, attachments, text, images, or other materials uploaded, submitted, or transmitted by or on behalf of Customer or any Authorized User to or through the Service. Customer Data does not include Usage Data.
“Data Subject” means the identified or identifiable individual to whom Personal Data relates.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Order Form” means a written or electronic ordering document referencing these Terms that specifies the Service purchased, subscription term, fees, and other commercial details. Upon execution by both parties (or, for online orders, upon confirmation), each Order Form is subject to these Terms.
“Personal Data” means any information relating to an identified or identifiable natural person that is contained within Customer Data and processed by Rever on behalf of Customer through the Service.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
“Processor” means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Rever is the Processor.
“Processing” (and “process,” “processed”) means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
“Service” means Rever's proprietary work management platform, including the cloud-hosted service, self-hosted software, mobile applications, APIs, integrations, and related tools and documentation.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
“Sub-processor” means any third party engaged by Rever to process Personal Data on behalf of Customer.
“Subscription Term” means the period during which Customer has paid access to the Service, as specified in the applicable Order Form.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, as may be amended or replaced.
2. Scope and Roles
2.1. Relationship of the Parties
Customer is the Controller and Rever is the Processor with respect to Personal Data processed through the Service. Each party will comply with its respective obligations under Applicable Data Protection Law.
2.2. Customer's Responsibilities
Customer is responsible for: (a) determining the lawful basis for processing Personal Data; (b) ensuring that it has obtained all necessary consents, authorizations, and legal bases required under Applicable Data Protection Law before submitting Personal Data to the Service; (c) ensuring that its instructions to Rever comply with Applicable Data Protection Law; and (d) the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
2.3. Rever's Responsibilities
Rever will process Personal Data only on behalf of and in accordance with Customer's documented instructions. Rever will not process Personal Data for any purpose other than providing the Service, unless required by applicable law (in which case, Rever will inform Customer of that legal requirement before processing, unless prohibited by law).
3. Details of Processing
3.1. Subject Matter and Duration
Rever processes Personal Data for the purpose of providing the Service to Customer. Processing will continue for the duration of the Subscription Term, plus any post-termination period during which Rever retains Personal Data in accordance with Section 10 of this DPA.
3.2. Nature and Purpose
Rever processes Personal Data to provide, maintain, and support the cloud-hosted Service, including project management, knowledge management, AI-powered features, storage, search, analytics, and customer support.
3.3. Categories of Data Subjects
Data Subjects may include Customer's Authorized Users, Customer's employees and contractors, and any other individuals whose Personal Data is submitted to the Service by or on behalf of Customer.
3.4. Types of Personal Data
Personal Data processed may include names, email addresses, profile information, IP addresses, user-generated content (such as issues, comments, pages, and attachments), and any other Personal Data that Customer or its Authorized Users submit to the Service.
4. Customer Instructions
4.1. Documented Instructions
Rever will process Personal Data only in accordance with Customer's documented instructions. The Terms (including this DPA) constitute Customer's initial instructions. Customer may issue additional written instructions consistent with the Terms.
4.2. Compliance with Instructions
If Rever believes an instruction from Customer infringes Applicable Data Protection Law, Rever will promptly notify Customer and may suspend performance of the instruction until Customer modifies or confirms it.
5. Confidentiality
5.1. Personnel
Rever will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
5.2. Access Limitation
Rever will limit access to Personal Data to those personnel who require access to fulfill Rever's obligations for rending Services under the Terms and this DPA.
6. Security
6.1. Security Measures
Rever will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, as appropriate: encryption of Personal Data in transit and at rest, measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, processes for regularly testing, assessing, and evaluating the effectiveness of security measures, and access controls that limit access to Personal Data based on role and necessity.
Details of Rever's security practices are described at rever.ai/security
6.2. Updates
Rever may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection afforded to Personal Data.
7. Sub-processors
7.1. Authorization
Customer provides general authorization for Rever to engage Sub-processors to process Personal Data, subject to the requirements of this Section 7.
7.2. Current Sub-processors
The current list of Sub-processors is maintained at rever.ai/legal/sub-processors
7.3. Notification of Changes
Rever will notify Customer at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor. Notification will be provided via email to the address associated with Customer's account, or through a mechanism provided by Rever for subscribing to Sub-processor change notifications.
7.4. Objection Right
If Customer has a reasonable, good-faith objection to a new Sub-processor based on data protection grounds, Customer will notify Rever in writing within fifteen (15) days of receiving notice. The parties will discuss Customer's concerns in good faith. If Rever cannot reasonably accommodate Customer's objection, Customer may terminate the affected Order Form by providing written notice within thirty (30) days of Rever's notification, and Rever will refund any prepaid fees covering the unused portion of the Subscription Term following the effective date of termination.
7.5. Sub-processor Obligations
Rever will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Rever remains responsible for the acts and omissions of its Sub-processors.
8. Data Subject Rights
8.1. Assistance
Rever will provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (such as access, correction, deletion, portability, restriction, and objection), to the extent Rever is able to do so given its role as Processor.
8.2. Direct Requests
If Rever receives a request directly from a Data Subject, Rever will promptly redirect the Data Subject to Customer unless legally prohibited from doing so. Rever will notify Customer of the request unless prohibited by law.
9. Personal Data Breach
9.1. Notification
Rever will notify Customer without undue delay (and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach. Notification will be provided to Customer's designated security contact, or if none has been designated, to the email address associated with Customer's account.
9.2. Contents of Notification
Notification will include, to the extent known: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the name and contact details of Rever's point of contact for further information; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its effects.
9.3. Cooperation
Rever will provide reasonable cooperation and assistance to Customer in investigating, mitigating, and remediating the Personal Data Breach, and in fulfilling Customer's obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Law.
9.4. Scope
Rever's notification of a Personal Data Breach under this Section is not an acknowledgment of fault or liability.
10. Data Retention and Deletion
10.1. During the Subscription Term
Rever will process and retain Personal Data for the duration of the Subscription Term in accordance with the Terms.
10.2. Upon Termination
Upon termination or expiration of the Subscription Term, Rever will make Customer Data (including Personal Data) available for export for thirty (30) days, consistent with Section 9.5(b) of the Terms. After this period, Rever will delete all Personal Data from its systems within a reasonable timeframe, except to the extent retention is required by applicable law.
10.3. Certification
Upon Customer's written request, Rever will confirm in writing that it has deleted Personal Data in accordance with this Section 10.
11. Audits and Compliance
11.1. Information
Upon Customer's reasonable written request (no more than once per twelve-month period), Rever will make available information reasonably necessary to demonstrate compliance with this DPA. This may include responses to written questionnaires, summaries of audit reports or certifications (such as SOC 2 reports), and written confirmation of security practices.
11.2. Third-Party Audits
If the information provided under Section 11.1 is not sufficient to demonstrate compliance, and Customer is required by Applicable Data Protection Law to conduct a more detailed audit, Customer may request an audit of Rever's processing activities relevant to this DPA, subject to the following: (a) Customer will provide at least thirty (30) days' advance written notice; (b) audits will be conducted during normal business hours, no more than once per year, and at Customer's expense; (c) the scope of the audit will be limited to Rever's processing of Personal Data under this DPA; (d) Customer and its auditor will comply with reasonable confidentiality obligations; and (e) Customer will minimize disruption to Rever's operations.
11.3. Regulatory Audits
Nothing in this Section 11 limits the ability of a supervisory authority to conduct an audit or inspection as authorized by Applicable Data Protection Law.
12. International Data Transfers
12.1. Transfer Mechanisms
To the extent that Rever's processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a country not recognized as providing adequate data protection, Rever will ensure that appropriate transfer mechanisms are in place, including the Standard Contractual Clauses or the UK Addendum, as applicable.
12.2. Standard Contractual Clauses (EEA)
For transfers of Personal Data from the EEA, the parties agree to be bound by the SCCs (Module Two: Controller to Processor), which are incorporated into this DPA by reference. Where the SCCs apply:
(a) Clause 7 (Docking Clause): The optional docking clause is included.
(b) Clause 9(a) (Sub-processors): Option 2 (general written authorization) applies. Rever will notify Customer of changes to Sub-processors in accordance with Section 7.3 of this DPA.
(c) Clause 11 (Redress): The optional language is not included.
(d) Clause 13 and Annexure I (C) (Supervisory Authority): The competent supervisory authority will be determined in accordance with Clause 13.
(e) Clause 17 (Governing Law): The SCCs will be governed by the law of the EU Member State in which the data exporter is established, or if the data exporter is not established in the EU, the law of Ireland.
(f) Clause 18(b) (Forum): Disputes will be resolved before the courts of the jurisdiction identified in Clause 17.
12.3. UK Transfers
For transfers of Personal Data from the United Kingdom, the UK Addendum is incorporated into this DPA by reference and supplements the SCCs as applied under Section 12.2.
12.4. Swiss Transfers
For transfers of Personal Data from Switzerland, the SCCs apply with the modifications required by the FADP, including that the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and that references to the GDPR are interpreted as references to the FADP where applicable.
13. Data Protection Impact Assessments
Rever will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent such assistance relates to Rever's processing of Personal Data.
14. CCPA-Specific Terms
To the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), applies to Rever's processing of Personal Data under this DPA:
(a) Rever is a “service provider” as defined in the CCPA.
(b) Rever will not sell or share (as defined in the CCPA) Personal Data received from Customer.
(c) Rever will not retain, use, or disclose Personal Data for any purpose other than performing the Service as specified in the Terms, or as otherwise permitted by the CCPA.
(d) Rever will not combine Personal Data received from Customer with personal information received from other sources, except as permitted by the CCPA to perform the Service.
(e) Rever certifies that it understands the obligations set forth in this Section 14 and will comply with them.
15. General
15.1. Conflicts
In the event of a conflict between this DPA and the Terms, this DPA will prevail with respect to the processing of Personal Data.
15.2. Amendments
Rever may update this DPA from time to time to reflect changes in Applicable Data Protection Law or Rever's processing practices. Material changes will be notified in accordance with Section 16.8 of the Terms.
15.3. Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
15.4. Governing Law
This DPA is governed by the same law that governs the Terms, except where Applicable Data Protection Law requires otherwise (including with respect to the SCCs).
15.5. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in Section 11 of the Terms.
Annex I — Details of Processing
A. List of Parties
Data Exporter (Controller): The Customer identified in the Terms of Service.
Data Importer (Processor): Rever Finance Inc., a New Hampshire corporation. Contact: support@rever.ai.
B. Description of Processing
Subject matter: Provision of the cloud-hosted Rever Service to Customer.
Duration: The Subscription Term, plus any post-termination retention period described in Section 10.
Nature and purpose: Processing Personal Data as necessary to provide, maintain, and support the Service, including project management, knowledge management, AI-powered features, storage, search, analytics, and customer support.
Categories of Data Subjects: Customer's Authorized Users, employees, contractors, and other individuals whose Personal Data is submitted to the Service.
Types of Personal Data: Names, email addresses, profile information, IP addresses, user-generated content (issues, comments, pages, attachments), and other Personal Data submitted by Customer or Authorized Users.
Sensitive data (if applicable): None, unless Customer has executed a separate written agreement (such as a BAA) that expressly permits the processing of sensitive data.
C. Competent Supervisory Authority
The competent supervisory authority will be determined in accordance with Clause 13 of the SCCs.
Annex II — Technical and Organizational Security Measures
Rever implements the following categories of security measures, as described in detail at rever.ai/security
Encryption. Personal Data is encrypted in transit using TLS/SSL and encrypted at rest using industry-standard encryption.
Access controls. Role-based access controls limit access to Personal Data to authorized personnel. Multi-factor authentication is enforced for administrative access.
Infrastructure security. The Service is hosted on Amazon Web Services (AWS). Rever leverages AWS security features including network isolation, firewalls, and intrusion detection.
Application security. Regular vulnerability assessments and penetration testing. Secure software development practices. Dependency monitoring and patching.
Organizational measures. Employee background checks (where permitted by law). Security awareness training. Confidentiality agreements. Incident response procedures.
Business continuity. Regular data backups. Disaster recovery procedures. Monitoring and alerting.
Vendor management. Sub-processor due diligence and contractual safeguards. Ongoing monitoring of Sub-processor security posture.