Data Processing Agreement

2.1 Subject Matter: This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services.

2.2 Nature and Purpose: The Processor will Process Personal Data solely for the following purposes:

• Providing and maintaining the review management platform
• Sending review requests via email and SMS on behalf of the Controller
• Collecting and storing customer reviews and feedback
• Performing AI-powered sentiment analysis and generating response suggestions
• Providing analytics and reporting on review data
• Technical support and service improvement

2.3 Types of Personal Data:

• Contact information (names, email addresses, phone numbers)
• Review content and feedback
• Transaction or interaction records
• Communication preferences
• Account and authentication data

2.4 Categories of Data Subjects:

• Controller's customers and end-users
• Controller's employees and personnel
• Individuals who submit reviews

2.5 Duration: The Processing will continue for the duration of the Agreement and for such additional period as required for deletion or return of Personal Data in accordance with this DPA.

The Processor agrees to:

3.1 Lawful Processing: Process Personal Data only on documented instructions from the Controller, unless required by applicable law. If the Processor is required to Process Personal Data for any other purpose, it will inform the Controller of that legal requirement before Processing, unless prohibited by law.

3.2 Confidentiality: Ensure that persons authorized to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience
• Regular testing and evaluation of security measures
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing

3.4 Sub-processors: Not engage another processor without prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes and provide an opportunity to object.

3.5 Data Subject Rights: Assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, taking into account the nature of the Processing.

3.6 Breach Notification: Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controller's data.

3.7 Assistance: Assist the Controller in ensuring compliance with obligations under Articles 32-36 of the GDPR, taking into account the nature of Processing and information available to the Processor.

3.8 Deletion/Return: At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless storage is required by applicable law.

3.9 Audit: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

The Controller agrees to:

4.1 Lawful Basis: Ensure that it has a valid legal basis for Processing Personal Data and for instructing the Processor to Process Personal Data on its behalf.

4.2 Instructions: Provide documented instructions to the Processor regarding the Processing of Personal Data and ensure that such instructions comply with Data Protection Laws.

4.3 Data Subject Rights: Handle requests from Data Subjects and inform the Processor promptly of any such requests that relate to the Processor's Processing activities.

4.4 Accuracy: Ensure the accuracy and quality of Personal Data provided to the Processor.

4.5 Consent: Where consent is the legal basis for Processing, ensure that appropriate consent has been obtained from Data Subjects for the Processing activities, including sending review requests via email and SMS.

4.6 Notification: Promptly notify the Processor of any changes to applicable Data Protection Laws that may affect the Processing.

5.1 Authorization: The Controller provides general authorization for the Processor to engage Sub-processors listed in Annex C. The Processor shall inform the Controller of any intended additions or replacements of Sub-processors at least 30 days in advance.

5.2 Objection: The Controller may object to the engagement of a new Sub-processor by notifying the Processor in writing within 14 days of receiving notice. If the Controller objects on reasonable grounds relating to data protection, the parties will work in good faith to find an alternative solution.

5.3 Sub-processor Agreements: The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

5.4 Liability: The Processor shall remain fully liable to the Controller for the performance of Sub-processors' obligations.

6.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

6.2 If the Processor receives a request from a Data Subject, it shall promptly redirect the Data Subject to the Controller and notify the Controller of the request within 5 business days.

6.3 The Processor shall provide reasonable assistance to help the Controller respond to Data Subject requests within the timeframes required by applicable law.

The Processor implements and maintains the following security measures (detailed in Annex B):

7.1 Technical Measures:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256
• Multi-factor authentication for administrative access
• Role-based access controls
• Network security and firewalls
• Intrusion detection and prevention systems
• Regular vulnerability assessments and penetration testing
• Secure software development lifecycle

7.2 Organizational Measures:

• Security awareness training for all personnel
• Background checks for employees with data access
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular security audits
• Vendor security assessments

8.1 Notification: The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach affecting Controller's data.

8.2 Information: The notification shall include, to the extent known:

• Description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
• Name and contact details of the data protection officer or other contact point
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate its effects

8.3 Assistance: The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8.4 Documentation: The Processor shall document any Personal Data breaches, including facts, effects, and remedial actions taken.

9.1 The Processor may transfer Personal Data to countries outside the European Economic Area ("EEA") only if appropriate safeguards are in place as required by GDPR Article 46.

9.2 For transfers to the United States and other third countries without an adequacy decision, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission in Decision 2021/914 shall apply and are hereby incorporated by reference.

9.3 The Processor shall ensure that Sub-processors located outside the EEA are bound by appropriate transfer mechanisms, including SCCs or other valid transfer mechanisms.

9.4 The Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary.

10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.

10.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, subject to:

• Reasonable advance notice (at least 30 days, except in emergencies)
• Audits conducted during normal business hours
• Confidentiality obligations regarding audit findings
• Reasonable scope limitations to protect other customers' data

10.3 The Processor shall provide, upon request, copies of relevant certifications, audit reports (e.g., SOC 2 Type II), and security assessments.

11.1 Upon termination of the Services or upon Controller's request, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a commonly used, machine-readable format; or
• Delete all Personal Data and certify such deletion in writing

11.2 Data export will be provided within 30 days of the request.

11.3 The Processor may retain Personal Data to the extent required by applicable law, and such retained data shall remain subject to this DPA.

11.4 Backup copies will be deleted in accordance with the Processor's standard backup retention schedule (typically within 90 days).

12.1 This DPA shall come into effect on the date the Controller accepts the Terms of Service and shall continue until the termination of the Services.

12.2 Sections relating to confidentiality, liability, and data deletion shall survive termination of this DPA.

12.3 Either party may terminate this DPA in the event of a material breach by the other party that remains uncured for 30 days after written notice.

13.1 Each party shall be liable for damages caused by Processing that infringes Data Protection Laws, in accordance with the liability provisions of the GDPR (Article 82).

13.2 The liability limitations set forth in the Terms of Service shall apply to this DPA, except that such limitations shall not apply to the extent prohibited by applicable Data Protection Laws.

13.3 Each party shall indemnify the other against any damages, costs, and expenses arising from the indemnifying party's breach of this DPA or applicable Data Protection Laws.

14.1 Conflict: In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

14.2 Amendments: This DPA may be amended by the Processor to ensure continued compliance with Data Protection Laws. Material changes will be notified to the Controller at least 30 days in advance.

14.3 Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.4 Governing Law: This DPA shall be governed by the laws specified in the Terms of Service, without prejudice to mandatory data protection requirements under GDPR.