This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions and governs the processing of personal data by RevlytIQ, LLC (“RevlytIQ,” “we,” “us,” or “our”) on behalf of Customers (“you” or “Customer”) when you use the RevlytIQ Services.
This DPA applies only to the extent that RevlytIQ processes personal data on behalf of Customer in the course of providing the Services.
1. Definitions
Applicable Data Protection Laws means all privacy and data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and other regulations governing the processing of personal data.
Customer Data means any data submitted to RevlytIQ by or on behalf of Customer through use of the Services.
Data Subject means an identified or identifiable natural person whose personal data is processed under this DPA.
Personal Data means any information relating to an identified or identifiable Data Subject, as defined under Applicable Data Protection Laws.
Processing means any operation or set of operations performed on Personal Data, including storage, transmission, analysis, or access.
Controller means the party that determines the purposes and means of processing personal data.
Processor means the party that processes personal data on behalf of the Controller.
Subprocessor means any third party engaged by RevlytIQ to process Personal Data on behalf of Customer.
2. Scope and Role of the Parties
For the purposes of this DPA:
Customer is the Controller of Customer Data.
RevlytIQ is the Processor of Customer Data.
RevlytIQ also acts as a Service Provider under the California Consumer Privacy Act (CCPA) and does not retain, use, or disclose personal information for any purpose outside the scope of this Agreement.
RevlytIQ may also act as a Controller only with respect to aggregated, non-identifiable usage data such as AI prompt volume, platform performance metrics, or anonymized output caching used to improve platform functionality or internal AI orchestration.
Aggregated, anonymized data that cannot reasonably identify a natural person is not considered Personal Data under this DPA.
RevlytIQ will process Customer Data solely for the purpose of providing the Services, in accordance with Customer’s documented instructions, and in compliance with Applicable Data Protection Laws.
3. Categories of Data and Data Subjects
Categories of Personal Data processed by RevlytIQ may include:
Names, email addresses, and workspace-level role assignments
Workspace metadata and login activity
Communication metadata such as timestamps, contact history, or file references
Operational records transmitted through connected integrations
Uploaded documents stored in Workspace Storage
AI prompt and output data to the extent linked to identifiable users
Data Subjects include:
Authorized users of Customer’s RevlytIQ workspace
Employees, contractors, or business contacts managed through Customer’s integrations
4. Customer Responsibilities
Customer agrees to:
Obtain all necessary consents and lawful bases for processing Customer Data
Comply with applicable data protection laws in its use of the Services
Ensure its Users do not submit or store sensitive personal data such as health, biometric, or government identifiers without prior agreement or a separate Business Associate Agreement (BAA)
RevlytIQ does not assume liability for data uploaded in violation of this section.
5. Subprocessors
RevlytIQ may engage Subprocessors to support infrastructure, analytics, automation, hosting, and customer experience. Subprocessors are contractually required to meet privacy and security obligations no less protective than those in this DPA.
An updated list of subprocessors is maintained at [Insert URL] or available upon request. Customer will be notified of material changes and may object based on reasonable privacy grounds. RevlytIQ will work in good faith to address objections.
6. Data Subject Requests
RevlytIQ will, to the extent legally permitted and technically feasible:
Assist Customer in responding to Data Subject requests to access, rectify, or delete personal data
Redirect Data Subjects to Customer when requests are made directly to RevlytIQ
Provide tools to enable Customer to manage its own user and data deletion requests
Customer is responsible for verifying the identity and validity of any request.
7. Security Measures
RevlytIQ will implement appropriate technical and organizational safeguards to protect Customer Data. These measures include:
Role-based access controls and credential restrictions
Encryption of data at rest and in transit
API throttling, monitoring, and system health enforcement
Incident response and breach alert workflows
Regular vulnerability scans and employee security training
Documentation about security practices may be made available under NDA.
8. Breach Notification
In the event of a Personal Data Breach, RevlytIQ will notify Customer without undue delay after becoming aware of the breach. Notification will include:
Description of the nature and scope of the breach
Contact details for RevlytIQ’s privacy team
Description of likely consequences
Description of measures taken to mitigate the breach
Notification may be delayed if required by law enforcement or regulatory request.
9. Data Transfers
To the extent Customer Data is transferred outside the country of origin, RevlytIQ shall ensure that appropriate safeguards are in place. For transfers from the EEA, UK, or Switzerland, RevlytIQ relies on:
Standard Contractual Clauses (SCCs) approved by the European Commission
Alternative lawful mechanisms if applicable under future regulations
RevlytIQ servers are hosted in regions disclosed in our infrastructure documentation.
10. Data Retention and Deletion
Customer may delete data within the Workspace or submit a request for account termination at any time.
Upon termination or expiration of the Agreement:
RevlytIQ will delete Customer Data from its systems within sixty (60) days, unless retention is required by law
Backup or archival data will be securely deleted on the next cycle unless otherwise restricted
Customer may request a certificate of deletion where required for compliance.
11. Audits and Documentation
Upon written request, RevlytIQ will provide a summary of its most recent audit reports, security assessments, or third-party certifications, subject to non-disclosure obligations.
Customer may request a privacy compliance discussion or questionnaire review once per calendar year unless otherwise required by law or contract.
12. Limitation of Liability
Liability under this DPA is governed by the limitation of liability terms in the primary RevlytIQ Terms & Conditions.
13. Governing Law
This DPA is governed by the laws of the State of Texas, United States. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Terms & Conditions.
14. Term and Termination
This DPA remains in effect as long as RevlytIQ processes Customer Data or until the Agreement expires or is terminated.
15. Contact
For privacy-related questions, requests, or concerns, contact:
RevlytIQ, LLC
Austin, TX
privacy@revlytiq.io