Data Processing Agreement (DPA)

Last Updated: April 3, 2024

1. Definitions

2. Roles and Responsibilities

2.1 Data Controller (You - The Business Customer)

As the Data Controller, you are responsible for:

• Obtaining valid consent from Data Subjects before collecting their personal data
• Providing Data Subjects with clear privacy notices
• Determining the lawful basis for processing personal data
• Ensuring compliance with all applicable Data Protection Laws
• Instructing ReviewLead on how to process the data
• Responding to Data Subject requests (access, deletion, correction)
• Notifying ReviewLead immediately of any security incidents

2.2 Data Processor (ReviewLead)

As the Data Processor, ReviewLead is responsible for:

• Processing personal data only according to your documented instructions
• Implementing appropriate technical and organizational security measures
• Assisting you in responding to Data Subject requests
• Assisting you with security incident notifications
• Deleting or returning personal data when the service relationship ends
• Making available information necessary to demonstrate compliance

3. Data Processing Details

3.1 Purpose of Processing

ReviewLead processes personal data for the following purposes:

• Collecting customer ratings and reviews
• Routing satisfied customers to public review platforms
• Collecting private feedback from dissatisfied customers
• Displaying reviews and feedback in your dashboard
• Sending email notifications about new reviews
• Providing analytics and reporting

3.2 Types of Personal Data

The personal data processed includes:

• Contact Information: Name, email address, phone number (all optional)
• Feedback Data: Customer ratings (1-5 stars), feedback text, timestamps
• Technical Data: IP addresses, device information, browser type

3.3 Categories of Data Subjects

• End customers of the business (Data Controller)
• Individuals who provide feedback or reviews

3.4 Duration of Processing

Personal data will be processed for as long as:

• Your ReviewLead account is active, OR
• Until you delete the data, OR
• Until you instruct us to delete it, OR
• 30 days after account termination (whichever comes first)

4. Your Instructions to ReviewLead

4.1 Documented Instructions

By using ReviewLead, you instruct us to process personal data as follows:

• Store customer ratings and feedback in our database
• Display this data in your dashboard
• Send you email notifications about new reviews
• Provide you with export and deletion capabilities

4.2 Additional Instructions

You may provide additional documented instructions by:

• Using the dashboard controls (export, delete data)
• Contacting our support team at sreeskvk@gmail.com
• Using the settings features in your account

5. Security Measures

5.1 Technical Measures

ReviewLead implements the following technical security measures:

• Encryption in Transit: HTTPS/TLS for all data transmission
• Encryption at Rest: All data encrypted in Firebase/Google Cloud databases
• Authentication: Firebase Authentication with password hashing
• Access Controls: Role-based access restrictions
• Secure Infrastructure: Hosted on Google Cloud Platform (SOC 2, ISO 27001 certified)

5.2 Organizational Measures

• Regular security audits and updates
• Employee access restricted to necessary personnel only
• Incident response procedures in place
• Data minimization practices

6. Sub-processors

6.1 Authorized Sub-processors

ReviewLead uses the following sub-processors to provide the Service:

Sub-processor	Purpose	Location
Google Cloud Platform / Firebase	Cloud hosting, database, authentication	United States (with EU data centers available)
Google Analytics	Website analytics	United States
Email Service Provider	Transactional emails	United States

6.2 Sub-processor Changes

We will notify you of any changes to our sub-processors by:

• Updating this page
• Sending email notification (for material changes)
• Providing 30 days notice before engaging a new sub-processor

6.3 Your Right to Object

You may object to the use of a new sub-processor within 30 days of notification. If we cannot accommodate your objection, you may terminate the agreement without penalty.

7. International Data Transfers

7.1 Transfer Mechanisms

Personal data may be transferred to countries outside the EEA. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs): EU-approved model contracts
• EU-US Data Privacy Framework: For transfers to certified US companies
• Google Cloud Compliance: Our infrastructure provider maintains GDPR-compliant data centers

7.2 Data Location

By default, data is stored in:

• United States (Google Cloud us-central1 region)
• EU data centers available upon request for EU customers

8. Data Subject Rights

8.1 Assisting with Requests

ReviewLead will assist you in fulfilling Data Subject requests for:

• Access: Export data feature in dashboard
• Rectification: Edit capabilities in dashboard
• Erasure: Delete data feature in settings
• Restriction: Contact support to restrict processing
• Portability: JSON export in dashboard
• Objection: Opt-out features available

8.2 Response Time

We will provide reasonable assistance within:

• 48 hours for urgent requests
• 7 days for standard requests

9. Data Breach Notification

9.1 Our Obligation

In the event of a personal data breach, ReviewLead will:

• Notify you without undue delay (within 72 hours of becoming aware)
• Provide details about the nature of the breach
• Describe the likely consequences
• Describe measures taken or proposed to address the breach

9.2 Your Obligation

You are responsible for:

• Notifying affected Data Subjects as required by law
• Reporting the breach to supervisory authorities if required
• Determining whether the breach must be reported

10. Audits and Compliance

10.1 Information Provision

Upon reasonable request, ReviewLead will provide:

• Information about our data processing practices
• Evidence of compliance with this DPA
• Security certifications and audit reports

10.2 Audits

You may conduct audits or inspections by:

• Reviewing available security documentation
• Requesting information about our processes
• Engaging a third-party auditor (at your expense, with reasonable notice)

11. Data Deletion and Return

11.1 Upon Termination

When you terminate your account or subscription:

• You may export all data before termination
• We will delete all personal data within 30 days
• Backups will be deleted within 90 days

11.2 Upon Your Request

At any time, you may request:

• Return of data (via export feature)
• Deletion of specific data
• Deletion of all data

12. Liability and Indemnification

12.1 Your Liability

You are liable for:

• Ensuring you have lawful basis for processing
• Obtaining necessary consents from Data Subjects
• Providing adequate privacy notices
• Compliance with applicable Data Protection Laws

12.2 Our Liability

ReviewLead is liable for:

• Processing data only according to your instructions
• Implementing appropriate security measures
• Notifying you of data breaches
• Assisting with Data Subject requests

13. Term and Termination

13.1 Term

This DPA takes effect when you create a ReviewLead account and continues until termination of the Terms of Service.

13.2 Survival

Sections 11 (Data Deletion), 12 (Liability), and 15 (Governing Law) survive termination.

14. Changes to This DPA

We may update this DPA to reflect:

• Changes in Data Protection Laws
• Changes to our processing activities
• Changes to our sub-processors

We will notify you of material changes with 30 days notice.

15. Governing Law

This DPA is governed by the same laws as the ReviewLead Terms of Service.

16. Contact for DPA Matters

---

← Back to Home | Privacy Policy | Terms of Service