Data Processing Agreement

1

Parties

ProcessorReviewed, operated by Ellis Elrick and Olly Mitchell, trading as Reviewed. Contact: support@revieweditapp.com

ControllerThe User or Customer using Reviewed services.

2

Purpose and Scope

This DPA governs the processing of personal data by Reviewed on behalf of the Controller when the Controller uses Reviewed to manage customer communication and review follow-up messaging.

This Agreement applies to all personal data processed by Reviewed in connection with the Service.

3

Definitions

Applicable Data Protection LawUK GDPR, Data Protection Act 2018, and applicable privacy laws

ControllerThe organisation that determines purposes and means of processing

ProcessorThe entity that processes personal data on behalf of the Controller

Personal DataAny information relating to an identified or identifiable natural person

Data SubjectAn individual whose personal data is processed

ProcessingAny operation performed on personal data (collection, storage, transmission, deletion, etc.)

4

Roles and Responsibilities

4.1 Controller Responsibilities

Determines the purposes and means of processing personal data
Ensures lawful basis for processing under Applicable Data Protection Law
Obtains valid consent from data subjects where required
Provides privacy notices to data subjects
Ensures accuracy and quality of personal data

4.2 Processor Responsibilities

Processes personal data only on documented instructions from the Controller
Implements appropriate technical and organisational security measures
Ensures confidentiality of personnel processing personal data
Assists the Controller in fulfilling data subject rights requests
Notifies the Controller of any data breaches without undue delay

5

Processing Instructions

Reviewed processes personal data only as instructed by the Controller through the Controller’s use of the Service, configuration settings and templates, and direct instructions via support channels.

If Reviewed believes an instruction violates Applicable Data Protection Law, it will inform the Controller immediately.

6

Nature, Purpose, and Categories of Processing

NatureCollection, storage, organisation, transmission via SMS and email, analysis, deletion

PurposeSending review follow-up messages, automating customer communication, tracking engagement, generating reports

Personal DataName, phone number, email address, service/appointment details, communication history

Data SubjectsCustomers of the Controller’s business and recipients of review requests

7

Security Measures

Encryption of data in transit and at rest
Access controls and authentication
Regular security audits and vulnerability assessments
Employee confidentiality agreements
Incident response procedures
Regular backups

8

Sub-Processors

Reviewed may engage sub-processors to assist in providing the Service. The Controller consents to the use of these sub-processors. Reviewed will notify the Controller of any changes.

SupabaseDatabase and authentication services

TwilioSMS delivery

ResendEmail delivery

9

Data Subject Rights

Reviewed will assist the Controller in responding to data subject rights requests including:

Right of access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object

10

Data Breach Notification

In the event of a personal data breach, Reviewed will notify the Controller without undue delay and no later than 72 hours after becoming aware, providing:

Nature of the breach
Categories and approximate number of data subjects affected
Likely consequences
Measures taken or proposed to address the breach

11

Data Deletion

Upon termination of the Service or upon request, Reviewed will delete or return all personal data to the Controller and delete existing copies, unless retention is required by law.

12

Audits and Compliance

Reviewed will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable notice.

13

International Transfers

Personal data is processed and stored in the UK and EEA. If data is transferred outside these regions, Reviewed will ensure appropriate safeguards are in place as required by Applicable Data Protection Law.

14

Term and Termination

This DPA remains in effect for as long as Reviewed processes personal data on behalf of the Controller. Obligations survive termination where required by law.

15

Contact

📧 support@revieweditapp.com