Effective Date: 1 January 2025
This Data Processing Agreement ("DPA") is entered into between Revieve Oy ("Revieve" or "Processor") and the Client ("Controller"), collectively referred to as "Parties." This DPA supplements and forms an integral part of the Terms of Service governing the provision of services by Revieve to the Controller ("Agreement"). This DPA ensures compliance with Applicable Data Protection Law.
3.1 Scope. The Processor shall process personal data solely for the purpose of providing the services described in the Agreement.
3.2 Restrictions. The Processor shall not process personal data for any other purpose unless explicitly authorized by the Controller in writing.
3.3 Data Categories. The categories of personal data processed and the nature and purpose of processing are further detailed in Appendix A.
3.4 Compliance Responsibility. Each Party shall be individually responsible for ensuring compliance with applicable data protection laws and regulations.
4.1 Processing Instructions. The Processor shall process personal data only in accordance with the Controller’s documented instructions.
4.2 Security Measures. The Processor shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
4.3 Confidentiality. The Processor shall ensure that its personnel authorized to process personal data are subject to confidentiality obligations.
4.4 Data Subject Rights. The Processor shall assist the Controller in responding to data subject rights requests, including requests for access, rectification, erasure, restriction, and data portability.
4.5 Regulatory Compliance Assistance. The Processor shall provide assistance to the Controller in data protection impact assessments, when reasonable.
4.6 Breach Notification. The Processor shall notify the Controller without undue delay upon becoming aware of a data breach, providing sufficient information for the Controller to comply with its legal obligations.
4.7 Unlawful Instructions. The Processor shall immediately inform the Controller if it determines that the Controller’s instructions are unlawful or in violation of data protection laws.
5.1 Legal Basis. The Controller warrants that it has obtained all necessary consents and legal bases for processing personal data.
5.2 Processing Instructions. The Controller shall provide the Processor with accurate processing instructions and notify the Processor of any necessary changes.
5.3 Record-Keeping. The Controller shall maintain a record of processing activities as required under Applicable Data Protection Law and ensure compliance with applicable laws.
6.1. Authorization. The Controller authorizes the Processor to engage subprocessors as necessary for service delivery.
6.2. Subprocessor Obligations. The Processor shall ensure that any subprocessors are bound by obligations equivalent to those set forth in this DPA.
6.3. Subprocessor Notification and Right to Object. A current list of approved subprocessors is maintained in Appendix C. The Processor will update this list at least 30 days before engaging a new subprocessor. If the Controller does not submit a written objection within this period, the new subprocessor shall be deemed approved. The Controller may only object on reasonable and documented data protection grounds.
7.1 Data Transfers & Compliance Mechanisms.
The Processor shall not transfer personal data outside its original collection jurisdiction unless compliant with Applicable Data Protection Laws, including GDPR (EEA), UK GDPR, CCPA/CPRA (US), PIPL (China), and other relevant laws. Transfers shall rely on legally recognized mechanisms, including:
If data is fully anonymized and cannot be re-identified, it is not subject to SCCs, DPF, or other transfer mechanisms. Upon request, the Controller may review transfer mechanisms, including SCCs, BCR certifications, or DPF status. A list of subprocessors handling personal or anonymized data is maintained in Appendix C.
8.1 Compliance with Security Measures. The Processor shall implement technical and organizational safety measures as required by applicable data protection legislation and this Data Processing Agreement to ensure the security of the processed personal data.
8.2 Risk Management and Data Protection Processes. The Processor shall be responsible for ensuring that appropriate documented risk management and data protection processes are applied to the processing of personal data.
8.3 Protection of IT Systems and Data Processing Systems. Considering the sensitive nature of personal data and the risk level assessed by the Controller, the Processor shall implement effective security measures to protect IT systems, cloud infrastructure, and data processing environments. These measures shall ensure the authenticity, integrity, and availability of personal data until it is securely deleted in accordance with this Data Processing Agreement.
8.4 Prohibited Uses of Personal Data. The Processor shall not use the personal data in its personal service development or testing nor in any other personal purpose of use.
9.1 Reporting Obligations. In the event of a data breach, the Processor shall:
10.1 Retention Period. The Processor shall retain personal data only for the duration necessary to fulfill its obligations under the Agreement.
10.2 Data Deletion. Upon termination of services, the Processor shall, at the Controller’s request, either delete or return all personal data within a reasonable timeframe, unless legal obligations require continued retention. The timeframe for such deletion or return shall be mutually agreed upon but shall not exceed e.g., 60 days from the termination date.
11.1 Independent Audits. The Processor undergoes regular independent third-party security audits to verify compliance with industry standards for security, availability, confidentiality, and data protection.
11.2 Use of Audit Reports. The Processor shall provide the Controller with a copy of its most recent independent security audit report upon request, satisfying the Controller’s audit rights under this DPA.
11.3 Customer-Requested Audits. If the Controller reasonably requires additional verification beyond the provided audit report, the Controller may conduct an independent audit no more than once per year with 30 days' written notice. Such audits shall be limited to reviewing compliance documentation and shall not disrupt Processor operations.
11.4 Audit Costs. Each party shall bear its own costs related to an audit unless material non-compliance is found, in which case the Processor shall bear reasonable costs of the audit.
12.1 Agreement Duration. This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller and shall automatically terminate upon expiration or termination of the main service agreement between the parties.
12.2 Early Termination. Either party may terminate this DPA with thirty (30) days' written notice if the other party is in material breach and fails to cure the breach within that period.
Termination of this DPA shall not, by itself, affect the validity or enforceability of the Terms of Service or any active Pricing Agreement between the Parties. The Client remains obligated to fulfill all payment and contractual obligations under the Pricing Agreement and the Terms of Service, regardless of the DPA’s termination.
If the termination of this DPA prevents Revieve from legally providing the Solution due to compliance with Applicable Data Protection Law, Revieve may temporarily suspend the affected portion of the Solution for up to thirty (30) days while the Parties engage in good faith negotiations to restore compliance. If compliance is not restored within this period, Revieve reserves the right to continue the suspension, renegotiate terms, or terminate the Agreement in accordance with its terms. Such suspension shall not relieve the Client of its payment obligations under the Pricing Agreement.
12.3 Surviving Obligations. The following sections shall survive termination of this Agreement: Section 4 (Confidentiality), Section 7 (Cross-Border Data Transfers), Section 9 (Data Breach Notification), and Section 10 (Retention & Deletion of Data) of the DPA; and Section 12 (Limitation of Liability) and Section 14 (Governing Law & Dispute Resolution) of the Terms.
12.4 Governing Law & Jurisdiction. This DPA shall be governed by and construed in accordance with the laws and jurisdiction set forth in Revieve’s Terms of Service, which can be accessed at https://www.revieve.com/company/terms-of-service.
13.1 Notices. All notices required under this DPA shall be in writing and sent via email or registered mail to the designated contacts below:
For Revieve (Solution Provider):
Email: accountsuccess@revieve.com
Address: Revieve Oy, Mannerheimintie 20A, 00100 Helsinki, Finland
For the Client:
The Client shall provide a valid contact email upon signing this Agreement.
Notices sent by email shall be deemed received on the next business day following transmission. Notices sent via registered mail shall be deemed received three (3) business days after dispatch.
Includes but is not limited to skin analysis data, anonymized behavioral data, and other information voluntarily provided by users.
The Processor acknowledges that selfie images and skin analysis data may be classified as sensitive personal data under certain Applicable Data Protection Laws. Such data is processed with enhanced security measures and deleted immediately after analysis.
Personalized beauty recommendations, customer interactions, analytics, and service improvements.
Data is retained for the duration of the Agreement and deleted within 90 days of termination, unless legally required to be retained.
The following data is processed only for the purpose of providing the Solution and is not stored:
The following information is stored only in an anonymized format:
AES-256 encryption is applied to stored data, and TLS 1.2+ is used for data in transit to ensure confidentiality and integrity.
Strict access policies are enforced, including multi-factor authentication (MFA), role-based access controls (RBAC), and logging of all access events.
The Processor implements continuous monitoring for unauthorized access, conducts regular security audits, and performs vulnerability scans to identify and mitigate risks.
The Processor shall ensure that subprocessors maintain security standards consistent with this DPA. The Processor may conduct periodic security reviews of its subprocessors where deemed necessary based on risk assessments or regulatory requirements.
A dedicated security response team provides 24/7 monitoring for potential security incidents. The Processor maintains an incident response plan, ensuring timely identification, containment, and reporting of security breaches.
The current list of approved subprocessors is maintained below in this Appendix. The Processor will update this list at least 30 days before engaging a new subprocessor, in accordance with Section 6. If the Controller does not submit a written objection within this period, the new subprocessor shall be deemed approved.
Transfers to non-U.S. jurisdictions (e.g., APAC, South America) shall comply with the Standard Contractual Clauses (SCCs), last updated on June 4, 2021 (Appendix D). The Processor shall apply additional safeguards (e.g., encryption, pseudonymization) where necessary. The full SCC text is available at: EU Commission SCCs (June 4, 2021).