Data Processing Addendum (DPA)
Effective Date: 19 June 2026Version: 1.4.4
This Data Processing Addendum (“DPA”) forms part of the agreement between RevvTik Ltd (“RevvTik”, “we”, “us”) and the business customer (“Customer”, “you”) using the RevvTik services (“Services”). It is intended to satisfy Article 28 UK GDPR and, where applicable, Article 28 EU GDPR. “GDPR” means the UK GDPR and/or EU GDPR as applicable to a processing activity.
Order of precedence: (1) For international transfers, the EU Standard Contractual Clauses (Schedule B), UK IDTA, and UK Addendum prevail over all other provisions of this DPA and the Terms where they conflict. (2) Otherwise, this DPA prevails over the Terms on data-protection matters. (3) A separately signed transfer schedule prevails over this DPA for transfers only if it expressly states so in writing.
0. Roles and applicable law
- Customer is the controller of Customer Data, unless Customer acts only as a processor on behalf of its own controller — in which case Customer is the processor and its upstream controller remains the controller.
- RevvTik is the processor and is established in the United Kingdom.
- ICO registration: RevvTik Ltd is registered with the Information Commissioner's Office, reference ZC160387, under the Data Protection (Charges and Information) Regulations 2018.
- Lead supervisory authority (RevvTik as controller): Information Commissioner's Office (ICO) (https://ico.org.uk/).
- EU / EEA representative: RevvTik has not yet appointed an EU representative. We are assessing our Article 27 EU GDPR obligations for EU/EEA use of the Services. Where an EU representative is required for a customer deployment or market expansion, we will appoint an EU-based representative and update this policy with the representative's legal name, address, and contact details.
- Data Protection Officer: RevvTik is not required to appoint a DPO under Art. 37 GDPR. Privacy matters are handled by our privacy team at support@revvtik.com.
1. Definitions
Capitalised terms in the Terms apply here. In addition: “Customer Data” means personal data processed by RevvTik on behalf of Customer in providing the Services; “EEA” means the European Economic Area; “Sub-processor” means a third party engaged by RevvTik to process Customer Data; “Transfer” has the meaning in Chapter V GDPR.
2. Subject matter, nature, and purpose (Annex I summary)
See Annex I for the full description. In summary: RevvTik processes Customer Data to provide sales-coaching, call analytics, transcription, scoring, and related features described in the Terms and documentation.
3. Categories of data subjects and data
As set out in Annex I and the Privacy Policy.
4. Customer instructions
RevvTik processes Customer Data only on documented instructions from Customer (via the Services, configuration, and the Terms), unless UK or EU law to which RevvTik is subject requires otherwise. In that case RevvTik will inform Customer of the legal requirement before processing, unless prohibited on important public-interest grounds.
5. Sub-processors
Customer provides general written authorisation for RevvTik to engage Sub-processors listed in Annex III and at Sub-processors. RevvTik will give at least 14 days' advance notice before a new material Sub-processor begins processing Customer Data (page update, version bump where shown, and email to tenant administrators where available). Customer may object on reasonable data-protection grounds; parties will work in good faith. If unresolved, Customer may terminate the affected Services. RevvTik imposes data-protection terms on each Sub-processor materially as protective as this DPA, including appropriate transfer safeguards under Schedule A where required.
6. No use of Customer Data for model training
RevvTik will not use Customer Data, transcripts, or AI outputs to train general-purpose models for itself without Customer's separate written consent. Sub-processors are contractually restricted from using Customer Data for their own model training beyond what Customer separately agrees with that vendor. Where available, RevvTik configures provider settings intended to limit retention and training use; capabilities depend on vendor tier and region.
7. International transfers — Schedule A
7.1 UK ↔ EEA transfers
Transfers between the UK and the EEA are covered by mutual adequacy (UK adequacy regulations and the European Commission adequacy decision for the UK). No additional transfer tool is required solely for that corridor.
7.2 Transfers to third countries
Where Customer Data is transferred to a country without an adequacy decision, RevvTik implements appropriate safeguards under Chapter V GDPR, as follows.
A. UK-origin transfers
For transfers subject to UK GDPR, RevvTik adopts the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (UK Addendum), as applicable to the transfer path. The IDTA/UK Addendum is incorporated by reference into this DPA and deemed executed between the parties when Customer accepts the Terms or signs an order incorporating this DPA.
B. EEA-origin transfers — EU Standard Contractual Clauses
For transfers subject to EU GDPR, the official Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Decision 2021/914) (“EU SCCs”) are set out in Schedule B and incorporated verbatim and without modification except for completing Annex I, Annex II, and Annex III and making the elections expressly permitted by the EU SCCs (Clauses 7, 9, 11, 17, and 18). The statutory clause text must not be altered; any alteration would invalidate the EU SCCs.
Module selection: RevvTik is a B2B SaaS processor. The applicable module for each transfer leg is:
- Module Two (Controller to Processor) — where Customer is the controller (the typical B2B case) and personal data is transferred from Customer to RevvTik in a country without an adequacy decision, or where parties elect EU SCCs for that leg.
- Module Three (Processor to Processor) — where Customer acts only as a processor (not the controller) and transfers personal data to RevvTik as a further processor; or for onward transfers from RevvTik to Sub-processors in third countries where required.
The completed Annex I, Annex II, and Annex III form the annexes to the EU SCCs. Where the EU SCCs require an election:
- Clause 7 (Docking): the optional docking clause is not enabled unless parties agree in writing (e.g. order form).
- Clause 7 (Sub-processors): Option 2 — general written authorisation (see Section 5).
- Clause 9 (Supervisory authority): for Module Two, the supervisory authority is the competent authority in the EU Member State in which Customer (data exporter) is established, or Ireland if Customer is not established in the EU.
- Clause 11 (Redress): the optional independent dispute-resolution body is not designated unless agreed in writing.
- Clause 17 (Governing law): for EU SCC Module Two or Module Three, the law of the EU Member State in which Customer (data exporter) is established; if Customer is not established in the EU, the law of Ireland.
- Clause 18 (Choice of forum): the courts of that same Member State.
Conflict with this DPA: If any provision of Sections 0–17 of this DPA conflicts with the EU SCCs in Schedule B, the EU SCCs prevail for the affected international transfer.
C. Supplementary measures
RevvTik implements supplementary technical and organisational measures appropriate to the transfer risk, including those described in Annex II and at Security. RevvTik maintains a Transfer Impact Assessment (TIA) consistent with Schrems II, the EDPB recommendations, and the ICO transfer risk assessment guidance, and will provide a summary to Customer on reasonable request under NDA where appropriate.
D. Execution and copies
By using the Services or executing an order referencing this DPA, Customer agrees that the EU SCCs (with Modules Two and/or Three as applicable), UK IDTA, and/or UK Addendum are deemed executed with Annex I–III completed as below. Enterprise customers may request a countersigned PDF at support@revvtik.com.
8. Confidentiality and personnel
RevvTik ensures persons authorised to process Customer Data are bound by confidentiality or statutory obligations and receive appropriate data-protection training. Access is limited to personnel with a legitimate need and subject to access controls.
9. Security
Technical and organisational measures are described in Annex II and at Security.
10. Automated decision-making safeguards (Art. 22)
Customer acknowledges that RevvTik scoring constitutes profiling under Art. 4(4) GDPR. RevvTik provides in-product safeguards; Customer will not disable or circumvent them, including:
- Onboarding copy that scores are for coaching, not sole employment decisions.
- Documentation links and optional help flows for reps and managers.
- Per-parameter scores, coaching sections, and transcript-linked evidence.
- AI output combined with structured scoring and optional human review — not a fully autonomous employment-decision system.
Customer will not use RevvTik scores as the sole basis for legal or similarly significant effects without meaningful human review.
11. Assistance with data subject rights
RevvTik will assist Customer by appropriate measures in responding to data-subject requests, targeting five (5) business days of Customer's request where feasible. RevvTik may receive requests directly (e.g. from salespeople) and will coordinate with Customer as required by law.
12. Assistance with DPIAs and prior consultation
On reasonable request, RevvTik provides information necessary for Customer's DPIAs and prior consultations (Arts. 35–36).
13. Breach notification
RevvTik notifies Customer without undue delay and within 72 hours of becoming aware of a personal data breach affecting Customer Data, with information needed for Customer's Art. 33/34 obligations. Where RevvTik is controller for affected data, it notifies the competent authority within the same period where required.
14. Retention, deletion, and return
- Default retention: transcripts, analyses, scores, and coaching insights — up to 24 months, unless Customer sets a shorter period in Org settings.
- Audio: deleted promptly after transcription, subject to temporary processing retries.
- On verified account or organisation deletion, Customer Data is deleted from primary application systems within 30 days, subject to technical and legal retention constraints. Backup copies may persist through backup retention and rotation cycles, typically not exceeding a further 30 days, and are protected from normal use until overwritten or purged.
- For verified individual erasure requests, RevvTik will respond within the applicable legal timeframe and delete or anonymise personal data where required, subject to legal exceptions, technical constraints, and the Customer's role as controller.
- On termination: export during the post-termination window in the Terms; then deletion per account/organisation deletion flows.
15. Audit
Customer may audit compliance once per year on reasonable notice, or accept a questionnaire / certification summary (e.g. SOC 2, ISO 27001 when available). Audits must be scoped, scheduled, and not compromise other customers' data or service availability.
16. Works council and employment law
Customer represents it has obtained required works-council, union, or employee representative approvals and lawful bases before deploying monitoring features. RevvTik is not liable for Customer's failure to obtain them.
17. Liability
Liability for breach of this DPA is subject to the limitation of liability in the Terms, except where prohibited by law. For international transfers governed by Schedule B, EU SCC Clause 12 (Module Two or Module Three, as applicable) prevails over this Section and the Terms to the extent of any conflict.
Schedule B — EU Standard Contractual Clauses (2021/914)
(Appendix — official text incorporated without alteration.)
The Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 are incorporated into this DPA in their official, unmodified form as published by the European Commission and available at EUR-Lex — Decision 2021/914. RevvTik does not reproduce the full clause text here to avoid transcription errors that could invalidate the instrument; the official published text is the controlling version.
The parties agree that: (a) Module Two is selected for the controller-to-processor leg where Customer is controller (see Section 7.2.B); (b) Module Three is selected for processor-to-processor onward transfers to Sub-processors and where Customer is a processor (see Section 7.2.B); (c) Annex I, II, and III below are completed as required by Decision 2021/914; and (d) the elections in Section 7.2.B apply. No other modification to the EU SCC clause text is made.
Precedence: In the event of inconsistency between Schedule B (EU SCCs) and any other part of this DPA, Schedule B prevails with respect to international transfers.
Annex I — List of parties & description of processing
(Forms Annex I to the EU SCCs. Module Two where Customer is controller; Module Three where Customer is processor or for RevvTik onward transfers.)
A. List of parties
| Role | Module Two | Module Three |
|---|---|---|
| Data exporter | Customer (controller) | Customer (processor), or RevvTik Ltd (processor) for onward Sub-processor transfers |
| Data importer | RevvTik Ltd 128 City Road, London, EC1V 2NX Contact: support@revvtik.com | Sub-processor(s) per Annex III |
| Activities | Provision of RevvTik Services to Customer | Sub-processing per Annex III |
B. Description of transfer & processing
| Categories of data subjects | Customer's employees and contractors (e.g. salespeople); third parties in recordings (e.g. prospects, customers). |
| Categories of personal data | Identifiers and professional data; call/meeting recordings and transcripts; AI analyses, scores, coaching insights; integration metadata; technical and security logs. Special category data may be incidentally present in recordings; Customer is responsible for lawful basis and proportionality. |
| Sensitive data | Not intentionally collected. If incidentally present in audio/transcripts, processed only as instructed by Customer for the Services. |
| Frequency | Continuous for the subscription term. |
| Nature & purpose | Hosting, transcription, AI analysis, scoring, coaching, integrations, support, security monitoring — to provide the Services per the Terms. |
| Retention & deletion | Per Section 14 and the Privacy Policy. Audio deleted after transcription; coaching content default 24 months. |
Annex II — Technical and organisational measures
(Forms Annex II to the EU SCCs. Includes measures for supplementary transfer safeguards.)
RevvTik implements measures including, as applicable: encryption in transit (TLS) and at rest for sensitive fields; role-based access control and tenant isolation; least-privilege staff access with logging; secure development and change management; vulnerability reporting; incident response; backup encryption and retention limits; audit logging without storing transcript content in application logs; prompt deletion of source audio after transcription; sub-processor due diligence and contractual safeguards; and customer authentication using short-lived JWT access tokens and rotating refresh tokens delivered in HttpOnly cookies, with refresh tokens stored only as hashes and reuse detection (as described in our Cookie Policy and Security overview).
Customer workspace sign-in uses a server-side session model. After successful authentication (email and password and/or Google OAuth, where enabled), RevvTik issues a short-lived signed access token (JSON Web Token, JWT) in an HttpOnly cookie named `rt_at` (fifteen (15) minutes) and a rotating opaque refresh token in a separate HttpOnly cookie named `rt_rt` (up to seven (7) days of inactivity, or until you sign out). Refresh tokens are stored only as cryptographic hashes in our database; if a revoked refresh token is reused, the session is ended for security. JWT access tokens are sent automatically by your browser on API requests and are not stored in `localStorage` or `sessionStorage`. For UI convenience, a minimal user profile (such as display name and role) may be cached locally without session secrets.
Full detail: Security overview (updated periodically; forms part of this Annex by reference).
Annex III — Sub-processors
(Forms Annex III to the EU SCCs Module Three. Authorised Sub-processors as of the effective date of this DPA version.)
| Sub-processor | Processing activity | Location / transfer notes |
|---|---|---|
| Cloud infrastructure providers | Hosting, databases, object storage | Per deployment (e.g. EU, US, India) |
| AssemblyAI | Speech-to-text transcription | EU (Ireland) endpoint |
| OpenAI | LLM inference (analysis, coaching) | United States — SCCs / supplementary measures |
| Zoom | Per-user OAuth: cloud recording ingestion and past participant metadata (if connected) | Per Zoom / customer config |
| Google (Workspace / Meet / Drive) | Per-user OAuth: recording/file ingestion and related metadata (if connected) | Per Google / customer config |
| FreJun | Telephony recording ingestion (if connected) | Per FreJun / customer config |
| Email / support providers | Transactional email, support tooling | Per provider / deployment |
The live list with change history is maintained at Sub-processors. That page and this Annex III are updated together; material changes follow Section 5 notice.
Contract entity & contact
RevvTik Ltd128 City Road
London EC1V 2NX
United Kingdom
Support and Legal Contact: support@revvtik.com
Related policies: Privacy Policy · Terms of Service