Privacy/Data Processing Addendum (DPA)
Effective: 19 Sep 2025
Parties and scope
This Data Processing Addendum (“DPA”) forms part of the agreement between AIBZPRO LLC, operating as “Revanx by AIBZPRO” (“Revanx,” “Processor,” “Service Provider/Contractor”) and the counterparty identified in the Order Form (“Customer,” “Controller,” “Business”) regarding the processing of personal data through the Services, as defined in the principal Terms.
This DPA applies where Revanx processes personal data on behalf of Customer pursuant to applicable data protection laws, including the EU/EEA GDPR, UK GDPR, and California CPRA, as applicable to Customer’s use of the Services.
Definitions
“Applicable Data Protection Law” means all data protection and privacy laws that apply to the processing under this DPA, including the GDPR, UK GDPR, and CPRA, in each case as amended or replaced from time to time.
“EU SCCs” means the Standard Contractual Clauses adopted by the European Commission for international transfers to third countries pursuant to GDPR Article 46(2)(c)–(d).
“UK Addendum/IDTA” means the ICO’s addendum to the EU SCCs or the International Data Transfer Agreement for transfers subject to UK GDPR.
Other capitalized terms not defined in this DPA have the meanings given in the Terms or the Applicable Data Protection Law.
Roles and processing
Customer is the Controller/Business and appoints Revanx as Processor/Service Provider to process personal data solely to provide, secure, maintain, and improve the Services as documented in the Agreement, Customer’s configuration, and this DPA (“Permitted Purpose”).
Revanx will process personal data only on documented instructions from Customer, including regarding transfers, sub‑processing, and deletion, unless required by law in which case Revanx will inform Customer unless legally prohibited.
Confidentiality and training
Revanx ensures personnel authorized to process personal data are bound by confidentiality obligations and receive appropriate privacy and security training proportional to their roles.
Revanx limits personnel access to what is necessary for the Permitted Purpose and enforces role‑based access controls and logging as part of its security program.
Security measures
Revanx implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including AES‑256 encryption at rest, TLS 1.2+ in transit, access controls, audit logging, real‑time observability, automated retries (“Task Hospital”), feature flags, and safe rollback, as further detailed in Annex II (TOMs).
Revanx conducts periodic testing and reviews of the effectiveness of these measures, including annual independent penetration testing, and remediates material findings in a timely manner.
Sub‑processors
Customer authorizes Revanx to engage sub‑processors for the Permitted Purpose, subject to written contracts imposing data protection obligations no less protective than this DPA and Applicable Data Protection Law.
Revanx will maintain a list of current sub‑processors and provide notice of material changes where legally required, allowing Customer to object on reasonable grounds related to data protection by contacting connect@aibzpro.com; if unresolved, Customer may suspend the affected processing or terminate the affected Services as its sole and exclusive remedy.
Data subject requests and cooperation
Taking into account the nature of processing, Revanx will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill data subjects’ rights requests (access, rectification, erasure, restriction, portability, and objection) under Applicable Data Protection Law.
Revanx will promptly forward any request it receives directly from a data subject to Customer and will not respond except on documented instructions or where legally required.
Assistance with compliance
Revanx will provide reasonable assistance to Customer with privacy impact assessments, transfer impact assessments, and consultations with supervisory authorities, in each case solely relating to the Services and the processing by Revanx, considering the nature of processing and information available to Revanx.
Revanx will make available information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, including security summaries and audit reports as described in Section 11 (Audit).
International data transfers
Revanx may transfer personal data internationally to provide the Services, subject to appropriate safeguards.
Where Customer is subject to the GDPR and personal data is transferred to Revanx or its sub‑processors in a third country without an adequacy decision, the EU SCCs (Controller‑to‑Processor, Module Two; and/or Processor‑to‑Processor, Module Three, as appropriate) are incorporated by reference and completed by Annexes I–III and IV to this DPA, forming part of this DPA.
For transfers subject to UK GDPR, the UK Addendum to the EU SCCs or the IDTA is incorporated and completed by Annex IV, and prevails for UK‑covered transfers where required by UK law.
Customer authorizes Revanx to implement supplementary measures (technical, organizational, contractual) based on transfer risk assessments, consistent with guidance for international transfers, to ensure an essentially equivalent level of protection for data subjects.
Security incidents
Revanx will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide timely information to assist Customer in meeting any breach reporting obligations, including the nature of the incident, categories and approximate number of data subjects and records concerned, likely consequences, and mitigation steps taken or proposed, subject to ongoing investigation.
For notifiable incidents, Revanx targets initial notice within 72 hours of confirmation, and will cooperate in good faith on any required regulator or data subject notifications led by Customer as Controller.
Audit and verification
Upon Customer’s written request no more than annually and subject to reasonable notice and confidentiality obligations, Revanx will make available summaries of third‑party audit reports (e.g., penetration test executive summaries or equivalent) and respond to a reasonable security questionnaire focused on the TOMs in Annex II, without granting physical access to facilities or systems except where required by law and subject to mutually agreed scope and cost.
If a supervisory authority requires an on‑site audit, Revanx will permit and contribute to such audits of the processing activities covered by this DPA, coordinated to minimize disruption and protect Revanx’s and other customers’ data.
Return and deletion
Upon termination or expiry of the Services, Revanx will, at Customer’s choice and subject to legal holds, either delete or return personal data after the 30‑day export window, with backups purged on their normal cycles, and will certify completion upon written request, except where retention is required by law or for legitimate archival logs.
If deletion is infeasible, Revanx will continue to protect the personal data and limit processing to storage for legal purposes until deletion is possible.
Processor obligations under CPRA (service provider/contractor)
For California personal information, Revanx will process only for the limited and specified business purposes described in the Agreement, will not sell or share personal information, will not combine personal information from different customers except as permitted to detect security incidents or improve the Services, and will notify Customer if it can no longer meet CPRA obligations.
Revanx grants Customer the right to take reasonable and appropriate steps to ensure Revanx uses personal information in a manner consistent with CPRA, including reviewing available audits and requesting information necessary to verify compliance.
Customer responsibilities
Customer is responsible for the lawfulness of personal data processing, including obtaining and recording all required notices and consents, ensuring data minimization, and configuring the Services in compliance with Applicable Data Protection Law.
Customer will not submit special categories of data or children’s data into the Services without Revanx’s prior written agreement and appropriate safeguards as defined in this DPA and the Agreement.
Liability
The parties’ aggregate liability under this DPA is subject to the limitations of liability set out in the Agreement, except where prohibited by Applicable Data Protection Law or as required by the EU SCCs/UK Addendum.
Nothing in this DPA limits a data subject’s rights as third‑party beneficiaries under the EU SCCs where applicable.
Duration: termination
This DPA remains in effect for the duration of the Agreement and thereafter as long as Revanx processes personal data on behalf of Customer.
Upon termination, Sections 5, 10–12, 15, and 18 survive as applicable to post‑termination obligations and compliance.
Order of precedence
If there is a conflict between this DPA and the Agreement, this DPA controls for processing of personal data; if there is a conflict between this DPA and the EU SCCs or UK Addendum/IDTA, the EU SCCs or UK Addendum/IDTA prevail to the extent of the conflict for the covered transfers.
For CPRA‑covered data, CPRA‑mandated service provider/contractor terms prevail where required by law.
Governing law and forum
This DPA follows the governing law and dispute resolution provisions of the Agreement for non‑SCC/IDTA matters; for the EU SCCs, the governing law and forum are as selected in Annex IV consistent with SCC requirements, with the default set to Irish law and the courts of Ireland for third‑party beneficiary enforcement.
Nothing in this Section affects mandatory rights or remedies available to data subjects under Applicable Data Protection Law or the SCCs.
Contacts
Privacy/DPA notices and requests should be sent to: privacy@revanx.com or connect@aibzpro.com, with copies to yahia@aibzpro.com and ain@aibzpro.com; founders may also be reached at yahia@revanx.aibzpro.com and ain@revanx.aibzpro.com for coordination.
Operational security inquiries should be directed to security@revanx.com for expedited handling of incident‑related questions and DSR coordination.
Annex I: Details of processing
Subject matter: Processing of personal data as necessary to provide, secure, maintain, and improve the Services under the Agreement.
Duration: For the term of the Agreement and any post‑termination export window, plus backup retention cycles and legal holds as applicable.
Nature and purpose: Hosting, storage, indexing, transmission, display, analytics, communication orchestration, AI‑assisted processing, and integrations, solely for the Permitted Purpose.
Categories of data subjects: Customer’s leads, prospects, clients, counterparties, authorized users, and personnel as configured by Customer.
Types of personal data: Contact and professional data (e.g., names, emails, phone numbers, company, role), communications and metadata, documents and images uploaded by Customer, product usage and technical identifiers, and limited inferences within the platform, excluding sensitive categories unless expressly agreed in writing.
Special categories: Not intended to be processed; prohibited without prior written agreement and appropriate safeguards.
Controller instructions: As set out in the Agreement, Customer’s admin settings, and written instructions documented through the Services or support channels.
Frequency: Continuous and event‑driven processing during the subscription term.
Annex II: Technical and organizational measures (TOMs)
Encryption: AES‑256 at rest; TLS 1.2+ for data in transit.
Access controls: Role‑based access, least privilege, SSO support where available, credential and secret management, and periodic access reviews.
Logging and monitoring: Centralized logging, audit trails for privileged actions, anomaly detection, and real‑time observability of service health.
Reliability and recovery: Automated retries (“Task Hospital”), multi‑AZ cloud deployment where applicable, backups on rolling cycles, and disaster recovery testing.
Change management: Version control, peer review, CI/CD pipeline with gated approvals, feature flags, and staged rollouts with safe rollback.
Vulnerability management: Regular scanning, timely patching per severity, annual independent penetration testing with tracked remediation.
Data minimization and retention: Configurable data retention where applicable, export tools, and routine backup purges after defined cycles.
Incident response: Documented runbooks, multi‑disciplinary response, customer notification without undue delay with a target of 72 hours for notifiable events, and post‑incident reviews.
Supplier management: Sub‑processor due diligence, contractual DP terms, least‑privilege scoping, and ongoing monitoring aligned with risk.
Annex III: Authorized sub‑processors
Revanx will maintain and publish or provide upon request a current list of sub‑processors used to deliver the Services, including hosting, email delivery, analytics, support, and integration infrastructure providers, with material changes notified where legally required.
Customer may subscribe to updates or request notices via connect@aibzpro.com for sub‑processor changes related to its deployment.
Annex IV: International transfer mechanisms
EU SCCs: The parties agree the EU SCCs (Module Two and/or Module Three as applicable) are incorporated and completed by Annexes I–III, with Clause 9(a) “general authorization” for sub‑processing and Clause 17/18 governed by the laws and courts of Ireland for third‑party beneficiary rights.
UK Addendum/IDTA: For UK transfers, the UK Addendum to the EU SCCs or the IDTA applies, with Table selections cross‑referencing Annexes I–III and the chosen EU SCC modules, and with the competent supervisory authority set per the Customer’s establishment, defaulting to the UK ICO where appropriate.
Supplementary measures: The parties acknowledge implementation of technical, organizational, and contractual measures to address transfer risks in line with applicable guidance on international transfers, including encryption, access controls, and transparency reporting where legally permitted.
Contacts for privacy and DPA matters
Primary: connect@aibzpro.com
Founders (for coordination): yahia@aibzpro.com; yahia@revanx.aibzpro.com; ain@aibzpro.com; ain@revanx.aibzpro.com.