Data processing addendum

REVU.ai acts as a processor of customer data and follows the documented instructions defined in your agreement, order form, and this DPA.

• Customer obligations

  You confirm you have authority to share customer data, secure lawful bases for processing, and configure access according to your policies.

• Processor obligations

  REVU.ai processes data only to deliver contracted services, and never sells or uses customer data for unrelated purposes.

• Instruction changes

  Material changes to processing instructions must be agreed in writing to ensure auditability for both parties.

REVU.ai maintains administrative, technical, and physical safeguards aligned with ISO 27001 inspired controls and regional privacy laws.

• Encryption

  Data is encrypted in transit via TLS 1.2+ and at rest using AES-256. Keys are rotated and stored in managed KMS systems.

• Access controls

  Least-privilege, MFA, SSO, and just-in-time elevation protect access to production systems. Activity is logged and reviewed.

• Testing and audits

  Independent penetration tests and continuous monitoring validate our controls. Reports can be shared under NDA.

Only vetted vendors with relevant safeguards can handle customer data. We maintain an inventory and notify you before material changes.

• Approval process

  Each subprocessor undergoes security, privacy, and contractual reviews before they gain access to scoped data.

• Notification

  We provide advance notice of new subprocessors. Customers may object for justified reasons tied to risk.

• Responsibility

  REVU.ai remains responsible for subprocessors' actions and ensures they meet or exceed our contractual obligations.

Security events follow a documented response plan with rapid containment, investigation, and customer communication.

• Detection

  Logging, anomaly detection, and on-call rotations ensure potential incidents are identified quickly.

• Notification

  If customer data is impacted, we notify administrators without undue delay, sharing relevant facts and remediation steps.

• Cooperation

  We provide logs, forensic context, and support to help you meet regulatory notification obligations.

REVU.ai assists customers in fulfilling data subject requests, including access, correction, deletion, and portability.

• Request handling

  Upon request, we provide tooling or support so you can respond to data subject rights within statutory timelines.

• Deletion

  When you delete data, we remove it from active systems and backups following secure wipe schedules.

• Transfers

  Standard contractual clauses and approved transfer mechanisms govern any cross-border processing.

• Retention and refresh cadence

  Data retention and refresh schedules follow your selected plan (e.g., Starter 90 days, Growth 1 year, Professional 2 years, Enterprise unlimited). Deleted data is purged from active systems and backups per policy.