Data Processing Addendum

Effective date: November 15, 2023

Last update: 29 October 2025

This ReviewLab Data Processing Addendum (this "DPA") forms part of, and is subject to the Terms of Service (the "Agreement"). This DPA will apply to the extent Customer is subject to relevant Data Protection Laws.

1. Definitions

   Capitalized terms not defined here have the meanings given in the Agreement.

   • "Authorized Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party and is permitted to use the Services under the Agreement but has not executed its own agreement with ReviewLab.
   • "Customer Personal Data" means Personal Data Processed by ReviewLab on behalf of Customer as part of the Services (excluding Customer Relationship Data).
   • "Customer Relationship Data" means personal data relating to the business relationship between Customer and ReviewLab (e.g., billing contacts, invoicing and payment status data received from providers, account owner/admin details, CRM records, and communications about the Agreement).
   • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including EU/EEA GDPR, UK GDPR, and Swiss FDPA.
   • "Data Subject" means an individual whose Personal Information is subject to Data Protection Laws.
   • "EEA" means the European Economic Area.
   • "EU Standard Contractual Clauses" or "EU SCCs" means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at data.europa.eu/eli/dec_impl/2021/914/oj) and any amendments, replacements, or updated standard contractual clauses as recognized and approved by the European Commission from time to time.
   • "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
   • "Platform" means access to ReviewLab's software-as-a-service platform and related review widgets, analytics, and services subscribed to by Customer.
   • "Processing" means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
   • "Processor" means the entity which processes Personal Information on behalf of the Controller.
   • "Subprocessor" means a processor engaged by ReviewLab to Process Customer Personal Data.
   • "Regulator" means a supervisory authority or other government body with legal authority over the Processing of Personal Data or provision of the Services.
   • "SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as amended or replaced.
   • "UK Addendum" means the UK ICO International Data Transfer Addendum to the EU SCCs (as amended or replaced).
2. Relationship of the Parties

   2.1 Roles. For Customer Personal Data, Customer acts as Controller (or a processor on behalf of a third-party controller) and ReviewLab acts as Processor. For Customer Relationship Data (e.g., account owner/admin details, billing and tax data received from payment providers, CRM records, communications about the Agreement), ReviewLab acts as an independent Controller for limited purposes such as account administration, billing/tax compliance, platform security/abuse prevention, and legal compliance, as described in ReviewLab's Privacy Policy.

   2.2 Processing on documented instructions. ReviewLab will Process Customer Personal Data only on Customer's documented instructions (including configurations, API calls, and in-product settings), unless Processing is required by law. Where Processing is required by law, ReviewLab will inform Customer before Processing unless prohibited.

   2.3 No secondary use; no sale/share. ReviewLab will not sell or share Customer Personal Data (including for cross-context behavioral advertising), will not use it for targeted advertising or profiling producing legal or similarly significant effects, and will not combine it with data from other sources except (i) as necessary to provide the Services, (ii) for security, fraud prevention, error detection, or service integrity, or (iii) as otherwise authorized by Customer or permitted by applicable law.

   2.4 Ownership and responsibility. Customer retains all right, title, and interest in and to Customer Personal Data. Customer is solely responsible for its configurations and for ensuring that its instructions comply with applicable law.

3. Customer Obligations

   3.1 Compliance; lawful basis. Customer will ensure that it has provided all necessary notices and obtained all necessary consents (or has another valid legal basis) for ReviewLab to Process Customer Personal Data under the Agreement and this DPA.

   3.2 Data minimization and accuracy. Customer will provide only the Personal Data that is necessary for the Services, will keep such data accurate and up-to-date, and will not instruct ReviewLab to Process data in violation of law.

   3.3 Restrictions on data types. The Services are not intended to Process special categories of personal data, children's data, or other sensitive data under applicable laws. If Customer elects to Process such data, Customer remains responsible for satisfying any heightened requirements and must expressly instruct ReviewLab to do so.

   3.4 Security of access. Customer is responsible for securing its accounts, credentials, users, and client-side environments, including role-based access, strong authentication, and secret/API-key hygiene.

   3.5 Data subject requests. Customer will respond to requests from data subjects and is responsible for determining whether and how to comply. Taking into account the nature of the Processing, ReviewLab will provide reasonable assistance as set out in Section 4.6.

   3.6 Prohibited instructions. Customer will not instruct ReviewLab to Process Personal Data unlawfully. ReviewLab may suspend Processing that it reasonably believes is unlawful or not permitted by this DPA, notifying Customer without undue delay.

   3.7 Cooperation. Customer will promptly provide information reasonably necessary for ReviewLab to fulfill its obligations under this DPA (e.g., to assess objections to new Subprocessors or to complete transfer documentation).

4. ReviewLab's Obligations as a Processor

   4.1 Processing on instructions. ReviewLab will Process Customer Personal Data only on Customer's documented instructions and for the purposes set out in Annex I and the Agreement.

   4.2 Confidentiality. ReviewLab will ensure that persons authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and receive privacy/security training.

   4.3 Security (TOMs). ReviewLab will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II. ReviewLab may update the TOMs provided such updates do not materially diminish the level of protection.

   4.4 Assistance. Taking into account the nature of Processing and available information, ReviewLab will provide reasonable assistance to Customer as described in Section 6.

   4.5 International transfers. Where Processing involves transfers outside the EEA/UK/Switzerland without an adequacy decision, the parties will rely on the transfer mechanisms in Section 8 and Annex IV.

   4.6 Deletion or return. Upon termination or expiry of the Services, ReviewLab will delete or return Customer Personal Data as described in Section 9.

   4.7 Audits and information. ReviewLab will provide information and accommodate audits as described in Section 10.

5. Subprocessors

   5.1 General Authorization. Customer grants ReviewLab a general authorization to engage Subprocessors to provide the Services.

   5.2 Contractual Safeguards & Liability. ReviewLab will enter into written contracts with Subprocessors imposing data-protection obligations no less protective than those in this DPA and remains liable for their acts and omissions.

   5.3 Access to Current List (Non-Public). ReviewLab maintains a current list of Subprocessors engaged for Customer's account, accessible via the Customer Portal (Account → Legal) at [PORTAL LINK] or upon written request to info@reviewlab.pro. The list includes the Subprocessor's name, purpose, and processing location(s).

   5.4 Changes; Notice; Objections. ReviewLab will notify Customer of any intended addition or replacement of Subprocessors at least 30 days before the change takes effect via (i) email to the Admin contact on file and/or (ii) in-product notice. Customer may object on reasonable data-protection grounds by written notice within the 30-day period. The parties will work in good faith to resolve the objection (e.g., excluding the Subprocessor for Customer's data where feasible, modifying the Services, or proposing an equivalent provider). If no resolution within 15 days of ReviewLab's receipt of the objection, Customer may suspend the affected Services or terminate the affected Order Form and receive a pro-rata refund of prepaid, unused fees.

   5.5 Government access requests (Subprocessors). Where legally permitted, Subprocessors must promptly notify ReviewLab of any legally binding request for disclosure of Customer Personal Data and limit disclosure to the minimum required.

6. Assistance to Customer

   6.1 Data Subject Requests. Taking into account the nature of Processing, ReviewLab will provide reasonable assistance to Customer by appropriate technical and organizational measures to fulfill data subject requests received by Customer. If ReviewLab receives a request directly, it will promptly inform Customer and not respond except on documented instructions or where legally required.

   6.2 Impact Assessments & Consultation. ReviewLab will provide reasonable assistance to Customer with data protection impact assessments and consultations with supervisory authorities, to the extent required by law and only for Processing under this DPA.

7. Personal Data Breach

   ReviewLab will notify Customer without undue delay upon becoming aware of a confirmed personal data breach affecting Customer Personal Data and will provide information reasonably available to assist Customer with required notifications. Notification does not constitute an admission of fault or liability. ReviewLab will take appropriate steps to remediate and mitigate the effects of the breach.

8. International Transfers

   Where Processing involves a transfer of Customer Personal Data to a country outside the EEA/UK/Switzerland without an adequacy decision, the parties agree that:

   • For EEA transfers, the SCCs (Module 2 Controller→Processor and/or Module 3 Processor→Processor, as applicable) are incorporated by reference and shall apply between Customer and ReviewLab (and, where relevant, between ReviewLab and Subprocessors).
   • For UK transfers, the UK Addendum is incorporated by reference and attaches to the SCCs as required.
   • For Swiss transfers, references in the SCCs to the GDPR/EU will be construed consistently with the Swiss FDPA and the Swiss FDPIC.
   • Annex mapping. Annex I (Parties & Description of Processing) and Annex II (TOMs) of the SCCs are populated by Annex I–II of this DPA; where applicable, Annex III (Subprocessors) is populated by Annex III of this DPA. For EU transfers, the SCCs are governed by the laws of Portugal and supervised by CNPD (Portugal). For UK transfers, the UK Addendum applies; for Switzerland, references are construed consistently with the Swiss FDPA.
   • Where there is conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum prevail.
9. Deletion or Return

   Upon termination or expiry of the Services, at Customer's choice, ReviewLab will delete or return all Customer Personal Data (including existing copies) within a reasonable period, unless retention is required by law or justified for backup integrity for a limited time. If deletion is requested, ReviewLab will ensure secure deletion from active systems and, once backups expire, from archival copies per retention schedules.

10. Audits and Compliance Information

    10.1 Information. Upon reasonable request, ReviewLab will make available information necessary to demonstrate compliance with this DPA (e.g., security whitepapers, third-party audit reports/certifications available to ReviewLab, summaries of penetration tests), subject to confidentiality.

    10.2 Audit. If such information is insufficient, Customer may conduct an audit once every 12 months (or following a personal data breach impacting Customer Personal Data) on at least 30 days' prior written notice. The parties will mutually agree on an independent third-party auditor (not a competitor of ReviewLab). Audits occur during normal business hours, in a manner that avoids disruption, and exclude access to unrelated records (e.g., HR/payroll, third-party confidential materials). On-site audits are available only where required by a competent Regulator. Customer bears its own costs; ReviewLab may charge reasonable fees for time beyond provision of existing reports.

    10.3 Regulator Cooperation. ReviewLab will cooperate with competent supervisory authorities where required.

    10.4 Government access requests (ReviewLab). Where legally permitted, ReviewLab will promptly notify Customer of any legally binding request for disclosure of Customer Personal Data (e.g., from law enforcement), will redirect the requester to Customer where reasonable, and will limit any disclosure to the minimum required by law.

11. Records of Processing

    ReviewLab will maintain records of Processing of Customer Personal Data as required by Data Protection Laws and will make them available to a competent supervisory authority upon request.

12. Limitation of Liability

    The liability caps and exclusions in the Agreement apply to this DPA. Nothing in this DPA limits liability that cannot be limited under applicable law or under the SCCs/UK Addendum where they apply.

13. Order of Precedence

    If this DPA conflicts with the Agreement, this DPA prevails solely with respect to the Processing of Customer Personal Data. If this DPA conflicts with the SCCs or other mandatory transfer mechanisms, those transfer instruments prevail. In all other matters not related to the Processing of Customer Personal Data, the Agreement governs.

14. Updates

    ReviewLab may update this DPA to reflect changes in law, guidance, or Services. ReviewLab will provide reasonable prior notice for material changes that reduce protections for Customer Personal Data. If Customer reasonably objects to such material change, the parties will discuss in good faith; if unresolved, Customer may terminate the affected Services and receive a pro-rata refund of prepaid, unused fees.

15. Miscellaneous

    If any provision is held invalid, the remainder remains in force. This DPA is effective as of the Effective Date of the Agreement (or the date last signed below, if applicable) and remains in effect so long as ReviewLab Processes Customer Personal Data on behalf of Customer.

Annex I — Details of Processing

A. Subject matter & duration
Processing of Customer Personal Data as necessary to provide the Services under the Agreement, for the term of the Agreement plus any return/deletion period.

B. Nature & purpose of Processing
Provision, configuration, hosting, maintenance, support, product analytics (where enabled), synchronization with external review sources connected by Customer, rendering widgets, and security/anti-abuse.

C. Categories of data subjects

• Customer authorized users (admins, team members).
• End-customers/reviewers whose publicly available reviews are aggregated when Customer connects sources (names/handles as publicly shown).
• Individuals contacting support on Customer's behalf.

D. Categories of personal data

• Identification/contact data (work email, name, role) of Customer users.
• Account/configuration data (settings, API keys/tokens provided by Customer, source links).
• Public review content and metadata (reviewer handle/name as publicly shown, rating, text, timestamps, links/media, business/location metadata).
• Technical data (IP address, device/UA, logs, events) and billing metadata (limited payment status; no full card details processed by ReviewLab).

Special categories: not intended to be processed.

E. Processing instructions
Process strictly for the Services as configured by Customer and described above; apply TOMs in Annex II; engage authorized Subprocessors under Section 5; apply transfer safeguards under Section 8; return/delete under Section 9.

F. Competent supervisory authority
For ReviewLab as EU-established Processor: CNPD (Portugal), without prejudice to the competence of other authorities under applicable law.

Annex II — Technical and Organizational Measures (TOMs)

Information Security Program

• Governance & Policies: documented ISMS-style controls; annual reviews; employee security training; confidentiality agreements.
• Access Control: role-based access; least privilege; MFA for administrative access; periodic access reviews; unique IDs; session management.
• Encryption: TLS for data in transit; industry-standard encryption for data at rest where feasible; key management with restricted access.
• Network & Infrastructure Security: segmentation, firewalls/security groups, hardened images, secure configuration baselines, automated patching where feasible.
• Application Security: secure SDLC; code reviews; dependency management; secrets management; regular vulnerability scanning; periodic independent penetration testing with executive summaries available under NDA.
• Logging & Monitoring: centralized logging; audit trails for administrative actions; anomaly detection and alerting; rate-limiting/anti-abuse.
• Data Minimization & Pseudonymization: collect only necessary data; pseudonymize/aggregate where appropriate (e.g., analytics).
• Backup & DR: encrypted backups; tested restore procedures; defined RPO/RTO targets; geographic redundancy for critical services.
• Physical Security: data centers with perimeter protection, access badges/biometrics, CCTV, visitor logs (via hosting providers).
• Vendor & Subprocessor Management: due diligence; contractual controls; periodic reassessment; security requirements aligned with this Annex.
• Incident Response: documented IR plan; breach triage/containment/eradication/recovery; customer communication procedures.
• Privacy by Design & Default: DPIA support where applicable; consent tooling for cookies; minimization in product features.
• Personnel Security: onboarding/offboarding; security awareness; sanctions for violations.

Annex III — Subprocessors

Current list is not public. The up-to-date list of Subprocessors engaged for Customer's account is available upon request to info@reviewlab.pro. Each entry includes name, purpose, processing location(s), and transfer mechanism (if applicable).

Annex IV — International Transfers (SCCs / UK Addendum / Swiss Addendum)

EEA. The parties incorporate the EU SCCs (2021/914) as follows:

• Module 2 (Controller→Processor) applies between Customer (exporter) and ReviewLab (importer).
• Module 3 (Processor→Processor) applies between ReviewLab (exporter) and Subprocessors (importer) where relevant.
• Annexes: SCC Annex I–II–III are fulfilled by Annex I–II–III of this DPA.
• Governing law / Supervisory authority (SCCs): Portugal / CNPD.

Annex V — US State Privacy Addendum

V.1 Scope and Applicability.
This Annex applies only where Customer (or its Affiliates) is subject to one or more US state privacy laws in connection with the Services. If not applicable, this Annex is dormant.

V.2 Roles under US State Laws.
For Customer Personal Data covered by applicable US state privacy laws, ReviewLab acts as a "service provider" / "processor" (as defined under such laws) and will Process Customer Personal Data solely to perform the business purposes set out in the Agreement and this DPA.

V.3 Restrictions (No Sale/Share/CCBA; Purpose Limitation).
ReviewLab will not: (a) sell or share Customer Personal Data (including for cross-context behavioral advertising); (b) retain, use, or disclose Customer Personal Data for any purpose other than the limited and specified business purposes in the Agreement; (c) combine Customer Personal Data with personal data from other sources except as permitted by law to perform the Services, for security/fraud/error detection, or as otherwise authorized by Customer; or (d) use Customer Personal Data for targeted advertising, profiling producing legal/similarly significant effects, or any secondary use not authorized by Customer.

V.4 Consumer Requests and Signals.
Taking into account the nature of Processing, ReviewLab will assist Customer in responding to verified consumer requests (access, deletion, correction, portability, opt-out). Where technically feasible, ReviewLab will pass through or honor recognized opt-out signals (e.g., Global Privacy Control) to the extent required by applicable law and supported by the Services.

V.5 Deidentified and Aggregate Data.
If ReviewLab creates deidentified or aggregate data, it will: (i) maintain and use such data without attempting to re-identify; (ii) publicly commit to the same in its policies; and (iii) bind recipients to equivalent restrictions where applicable.

V.6 Sensitive Personal Data.
The Services are not intended to Process sensitive personal data under US state laws. If Customer configures the Services to Process such data, Customer is responsible for obtaining any required consents or providing required notices; ReviewLab will Process only as instructed and implement appropriate safeguards.

V.7 Subcontractors (Downstream Processors).
ReviewLab may engage Subprocessors as permitted in Section 5. ReviewLab will flow down equivalent obligations (including this Annex) and remains responsible for Subprocessors' performance.

V.8 Audits and Documentation.
ReviewLab will make available information reasonably necessary to demonstrate compliance with this Annex and will cooperate with Customer's reasonable audit requests as set out in Section 10.

V.9 Conflicts and Priority.
If there is a conflict between this Annex and the rest of the DPA, this Annex controls for Processing subject to US state privacy laws. More protective terms in the DPA or mandatory law prevail.

V.10 Definitions.
Terms such as "sell," "share," "service provider," "processor," "targeted advertising," "sensitive personal data," and "cross-context behavioral advertising" have the meanings given in applicable US state privacy laws.