DPA - Data Processing Agreement for RevWize

of PebbleByte GmbH

As of: April 14, 2025

1. Subject Matter and Duration of Processing

The processor processes personal data exclusively on behalf of and in accordance with the instructions of the controller, as described in the main agreement (use of the RevWize platform).

The purpose of the processing is the collection, management, and use of contact data for communication with the controller's end customers, in particular for generating review requests and optional SMS marketing.

The contract is valid for the duration of the use of the RevWize platform and ends automatically upon termination of the main agreement.

2. Type and Purpose of Processing

  • Type of data: Phone numbers, names (optional), metadata (e.g., sending times), communication content (e.g., SMS text)
  • Categories of data subjects: End customers of the controller
  • Purpose: Sending review invitations and, if applicable, marketing SMS in accordance with consent

3. Obligations of the Processor

The processor undertakes to:

  • Process data only on documented instructions of the controller
  • Implement appropriate technical and organizational measures in accordance with Art. 32 GDPR
  • Obligate employees to confidentiality
  • Engage subcontractors (e.g., SMS sending providers, hosting) only with the consent of the controller
  • Support data subject rights (Art. 12-23 GDPR)
  • Report data protection breaches without delay
  • Fulfill deletion and return obligations after the end of the contract
  • Provide evidence of compliance with GDPR requirements

4. Obligations of the Controller

The controller is responsible for:

  • Ensuring the lawfulness of data processing (e.g., consent to SMS)
  • Transmitting only such data whose processing is permitted
  • Using RevWize exclusively for lawful purposes
  • Responding to requests from data subjects independently, unless support from the processor is required

5. Technical and Organizational Measures (TOMs)

The processor has implemented appropriate measures to protect personal data, including:

  • HTTPS encryption of all data transfers
  • Access restriction via authentication and role management
  • Logging of access and changes
  • Server hosting exclusively within the EU
  • Data minimization and time-limited storage

6. Use of Sub-processors

The processor may use sub-processors (e.g., for SMS sending, hosting) who have been contracted in accordance with GDPR and contractually obligated to comply with this agreement. A current list can be requested at any time.

7. Audits and Evidence

The controller has the right to verify compliance with this agreement by the processor to a reasonable extent. The processor will provide appropriate evidence upon request.

8. Deletion and Return

After termination of the main agreement, all personal data will be deleted or returned at the request of the controller, unless there is a legal retention obligation.

9. Liability

Liability is governed by statutory provisions. The processor is only liable for damages arising from a culpable breach of its obligations under this agreement.

10. Other Provisions

  • Amendments to this agreement require text form
  • Jurisdiction: Place of the processor's registered office
  • This agreement supplements the main agreement for the use of the RevWize platform
  • Contract language: The contract language is German. Any communication and support services are also provided in German unless otherwise agreed. Should PebbleByte translate these GTC into another language, this serves only for understanding purposes; in case of doubt, the German wording takes precedence.

Contact:

PebbleByte GmbH

Email: office@pebblebyte.com

Website: https://revwize.com