Revelate Data Processing Agreement

This Data Processing Agreement (the “DPA”), together with the General Terms & Conditions (the “Terms”) and the Service Level Agreement (the “SLA”), constitutes an integral part of the Agreement between Revelate technologies AB (“Revelate” or the “Processor”) and the customer entity identified in the Signing Form (the “Customer” or the “Controller”), as set out in the Signing Form (the “Agreement”).

Definitions used in this DPA shall have the same meaning as in the Terms, unless otherwise defined herein.

1. PARTIES

Revelate and the Customer are collectively referred to as the “Parties” and individually as a “Party”.

2. BACKGROUND

The Parties have entered into the Agreement under which Revelate provides the Services to Customer.

In connection with providing the Services, Revelate Processes Personal Data on behalf of Customer.

The Parties enter into this DPA to comply with Article 28 of the GDPR and other applicable Data Protection Laws.

3. DEFINITIONS AND INTERPRETATIONS

Unless otherwise defined herein, the following capitalized terms shall have the meanings below:

“Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Agreement.

“Contracted Processor” means a Subprocessor.

“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

“GDPR” means Regulation (EU) 2016/679.

“Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of Customer in connection with the DPA.

The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

4. DETAILS OF PROCESSING

The subject-matter, duration, nature and purpose of Processing, the types of Personal Data and categories of Data Subjects are described in Appendix 1 (Details of Processing).

5. PROCESSING OF COMPANY PERSONAL DATA
   
   1. Processor shall:
      
      1. comply with applicable Data Protection Laws in the Processing of Company Personal Data; and
      2. not Process Company Personal Data other than on Customer’s documented instructions, including with regard to transfers of Company Personal Data outside the EU/EEA, unless required to do so by applicable law.
   2. Customer instructs Processor to Process Company Personal Data as necessary to provide the Services under the Agreement and as further described in Appendix 1. Customer may issue additional documented instructions consistent with the Agreement.
   3. Automated analysis (tech-neutral). Customer acknowledges that the Services may include automated processing operations (such as extraction, classification, summarisation, matching, aggregation, scoring, and insight generation) performed on Customer content and communications (including meeting transcripts and emails) to provide the Services, as further described in Appendix 1. Such operations may be performed using statistical methods, machine learning, and/or large language model-based components, without changing the Parties’ roles (Customer as Controller; Processor as Processor).
   4. Customer is responsible for: (i) determining and documenting its lawful basis, transparency notices, and (where applicable) consultation with employee representatives for the Processing of Company Personal Data; and (ii) ensuring that it does not provide special categories of data unless expressly agreed in writing and subject to appropriate safeguards.
      
      
6. PROCESSOR PERSONNEL

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Company Personal Data, ensuring that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data for the purposes of the Agreement, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

7. SECURITY
   
   1. Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, in accordance with Article 32 GDPR.
   2. The technical and organisational measures are described at a high level in Appendix 2 (Security Measures).
8. SUBPROCESSING
   
   1. Customer authorises Processor to appoint Subprocessors in accordance with this Section 8.
   2. Processor shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than this DPA, and Processor shall remain fully liable for the Subprocessor’s performance of its obligations under such agreement.
   3. Current Subprocessors. Processor’s current Subprocessors are listed in Appendix 3 (Subprocessor List).
   4. 8.4 Notice of changes; objection. Processor will provide Customer at least thirty (30) days’ prior notice of any intended addition or replacement of Subprocessors by updating Appendix 3 (and/or by written notice). Customer may object in writing within the notice period on reasonable data protection grounds. The Parties will work in good faith to address the objection. If the objection cannot be resolved in a commercially reasonable manner, Customer may terminate the affected part of the Services by written notice.
      
      
9. DATA SUBJECT RIGHTS
   
   1. Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests to exercise Data Subject rights under Data Protection Laws.
   2. Processor shall:
      
      1. promptly notify Customer if it receives a request from a Data Subject in respect of Company Personal Data; and
      2. not respond to such request except on Customer’s documented instructions or as required by applicable law (in which case Processor shall, to the extent permitted, inform Customer of that legal requirement before responding).
         
         
10. PERSONAL DATA BREACH

Processor shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data and provide information reasonably necessary to assist Customer in meeting its obligations under Data Protection Laws. Processor shall cooperate with Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of the breach.

11. DPIA AND PRIOR CONSULTATION

Processor shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers required under Articles 35 or 36 GDPR (or equivalent provisions), solely in relation to Processing of Company Personal Data by Processor and taking into account the nature of Processing and information available to Processor.

12. DELETION OR RETURN OF COMPANY PERSONAL DATA
    
    1. Upon termination or expiry of the Agreement, and upon Customer’s written request, Processor shall return Company Personal Data in a commonly used format and/or delete Company Personal Data from production systems within thirty (30) days, unless applicable law requires storage.
    2. Backups. Company Personal Data may remain in encrypted backup systems until backups are rotated and deleted in accordance with Processor’s backup retention cycle (currently up to 365 days), provided that such data is not actively Processed except for restoration and disaster recovery, and is protected by appropriate security measures. If a restore occurs during the retention period, Processor will re-delete the relevant Company Personal Data from production systems as soon as reasonably possible after restoration.
    3. Upon Customer’s written request, Processor shall provide written confirmation of deletion from production systems.
       
       
13. AUDIT RIGHTS
    
    1. Processor shall make available to Customer, upon request, information reasonably necessary to demonstrate compliance with this DPA.
    2. Customer may conduct an audit of Processor’s compliance with this DPA no more than once per twelve (12) months, on at least thirty (30) days’ prior written notice, during normal business hours, and subject to reasonable confidentiality and security requirements.
    3. Processor may satisfy audit requests by providing relevant third-party audit reports or summaries of security controls, where available, and by responding to reasonable written questionnaires.
    4. Customer bears its own audit costs. Where an on-site audit is requested, Customer shall reimburse Processor’s reasonable time and expenses unless the audit reveals material non-compliance.
       
       
14. INTERNATIONAL TRANSFERS
    
    1. Processor may Process Company Personal Data within the EU/EEA. If Company Personal Data is transferred outside the EU/EEA, Processor shall ensure that an appropriate transfer mechanism applies, including (as applicable) EU Standard Contractual Clauses (“SCCs”) and supplementary measures.
    2. Where SCCs are required, the Parties agree that SCCs are incorporated by reference and will be completed and executed as necessary, with Customer as exporter and Processor (or the relevant Subprocessor) as importer, as applicable.
       
       
15. CONFIDENTIALITY

Each Party must keep this DPA and Confidential Information received in connection with this DPA confidential and must not use or disclose it without prior written consent except to the extent that (a) disclosure is required by law; or (b) the information is already in the public domain through no breach of this DPA.

16. LIABILITY

Each Party’s liability under or in connection with this DPA shall be subject to the liability provisions of the Terms, except to the extent liability cannot be limited under applicable Data Protection Laws.

17. NOTICES

Notices under this DPA shall be given in accordance with the notice provisions in the Terms and/or Signing Form, as applicable.

18. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by and construed in accordance with the governing law and dispute resolution provisions set out in the Terms, unless otherwise required by applicable Data Protection Laws.

____________________________________________________________________________________

ANNEX 1 - Details of processing

1. Subject matter: Processing of Company Personal Data to provide the Services under the Agreement.
   
   
2. Duration: For the term of the Agreement and thereafter only as necessary for return/deletion and backup retention as described in this DPA and the SLA.
   
   
3. Nature and purpose: Hosting, storage, structuring, retrieval, access, transmission and other Processing necessary to provide the Services; support; error management; security; maintenance; and service improvements (excluding use of Company Personal Data for Processor’s own marketing). The Services may include automated analysis of Customer data and communications to generate reports, dashboards, summaries, classifications and insights relevant to revenue operations and commission workflows.
   
   
4. Types of Company Personal Data: As determined by Customer’s use of the Services and connected systems; may include identifiers and business contact details, user/account data, sales activity/pipeline and deal data, transactional/subscription data, commission calculation inputs/outputs, meeting transcripts, and email content processed through the Services. Not intended to include special categories of data.
   
   
5. Categories of Data Subjects: Customer’s Users and other individuals whose Personal Data is included in Customer systems and processed through the Services (e.g., employees, contractors, customers/prospects).
   
   
6. Processing operations: Collection (from Customer-authorised systems), recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment/combination, restriction, erasure/destruction; and (where applicable) extraction, classification, summarisation, matching, aggregation, scoring and insight generation to support the Services.
   

____________________________________________________________________________________

ANNEX 2 - Technical and organizational measures (TOMs)

Processor maintains appropriate technical and organisational measures aligned with GDPR Article 32, including as applicable:

• access controls and least privilege;
  
  
• encryption in transit and at rest;
  
  
• logging and monitoring;
  
  
• vulnerability management and patching;
  
  
• incident response procedures;
  
  
• backup and disaster recovery;
  
  
• staff confidentiality commitments and security training;
  
  
• segregation of environments and change control.
  
  

(Additional detail may be provided upon request, subject to confidentiality.)

____________________________________________________________________________________

ANNEX 3 -  Subprocessor list

Processor currently uses the following Subprocessors for hosting and data management services:

• Amazon Web Services (AWS)
  
  
• Supabase
  
  

Processor may use additional Subprocessors as needed to provide the Services in accordance with Section 8.

‍