Data Processing Agreement (DPA)

Effective Date: 1 January 2025

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Revieve Oy ("Revieve" or "Processor") and the Client ("Controller"), collectively referred to as "Parties." This DPA supplements and forms an integral part of the Terms of Service governing the provision of services by Revieve to the Controller ("Agreement"). This DPA ensures compliance with Applicable Data Protection Law.

2. Definitions

  • Applicable Data Protection Law: All laws governing the processing of Personal Data under these Terms, including the General Data Protection Regulation (GDPR) and relevant national laws in the European Economic Area (EEA), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA) and other applicable U.S. federal and state privacy laws, the Swiss Federal Act on Data Protection, China’s Personal Information Protection Law (PIPL), and any other applicable data protection laws in jurisdictions where the Controller operates.
  • Controller: The entity that determines the purposes and means of processing personal data.
  • Processor: The entity that processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
  • Data Subject: The individual whose personal data is processed.
  • Processing: Any operation performed on personal data, such as collection, storage, use, modification, transfer, or deletion.
  • Subprocessor: A third party engaged by Revieve to process personal data on behalf of the Controller.
  • Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • Supervisory Authority: The independent public authority responsible for monitoring compliance with data protection laws.

3. Purpose and Scope

3.1 Scope. The Processor shall process personal data solely for the purpose of providing the services described in the Agreement.

3.2 Restrictions. The Processor shall not process personal data for any other purpose unless explicitly authorized by the Controller in writing. 

3.3 Data Categories. The categories of personal data processed and the nature and purpose of processing are further detailed in Appendix A.

3.4 Compliance Responsibility. Each Party shall be individually responsible for ensuring compliance with applicable data protection laws and regulations.

4. Obligations of the Processor

4.1 Processing Instructions. The Processor shall process personal data only in accordance with the Controller’s documented instructions.

4.2 Security Measures. The Processor shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. 

4.3 Confidentiality. The Processor shall ensure that its personnel authorized to process personal data are subject to confidentiality obligations. 

4.4 Data Subject Rights. The Processor shall assist the Controller in responding to data subject rights requests, including requests for access, rectification, erasure, restriction, and data portability.
 

4.5 Regulatory Compliance Assistance. The Processor shall provide assistance to the Controller in data protection impact assessments, when reasonable. 

4.6 Breach Notification. The Processor shall notify the Controller without undue delay upon becoming aware of a data breach, providing sufficient information for the Controller to comply with its legal obligations.

4.7 Unlawful Instructions. The Processor shall immediately inform the Controller if it determines that the Controller’s instructions are unlawful or in violation of data protection laws.

5. Obligations of the Controller

5.1 Legal Basis. The Controller warrants that it has obtained all necessary consents and legal bases for processing personal data.

5.2 Processing Instructions. The Controller shall provide the Processor with accurate processing instructions and notify the Processor of any necessary changes.

5.3 Record-Keeping. The Controller shall maintain a record of processing activities as required under Applicable Data Protection Law and ensure compliance with applicable laws.

6. Use of Subprocessors

6.1. Authorization. The Controller authorizes the Processor to engage subprocessors as necessary for service delivery. 

6.2. Subprocessor Obligations. The Processor shall ensure that any subprocessors are bound by obligations equivalent to those set forth in this DPA. 

6.3. Subprocessor Notification and Right to Object. A current list of approved subprocessors is maintained in Appendix C. The Processor will update this list at least 30 days before engaging a new subprocessor. If the Controller does not submit a written objection within this period, the new subprocessor shall be deemed approved. The Controller may only object on reasonable and documented data protection grounds.

7. International Data Transfers

7.1 Data Transfers & Compliance Mechanisms.

The Processor shall not transfer personal data outside its original collection jurisdiction unless compliant with Applicable Data Protection Laws, including GDPR (EEA), UK GDPR, CCPA/CPRA (US), PIPL (China), and other relevant laws. Transfers shall rely on legally recognized mechanisms, including:

  • Transfers from the EEA, UK, and Switzerland shall be conducted using Standard Contractual Clauses (SCCs) (Appendix D), Binding Corporate Rules (BCRs), or where applicable, an adequacy decision by the European Commission.
  • Transfers from the EEA, UK, and Switzerland to the U.S. may rely on the EU-U.S. Data Privacy Framework (DPF) if the recipient is DPF-certified (Appendix C), removing the need for SCCs.
  • Transfers from China to other jurisdictions shall comply with PIPL, including security impact assessments and explicit consent when required.
  • Transfers from the U.S. to other jurisdictions shall comply with applicable U.S. federal and state privacy laws, including but not limited to CCPA/CPRA, VCDPA, CPA, CTDPA, and UCPA. Where relevant, transfers shall also comply with sector-specific laws such as HIPAA, COPPA, and GLBA. The Processor shall ensure that adequate contractual safeguards provide equivalent protection in line with U.S. privacy requirements.
  • Transfers from other jurisdictions not explicitly listed (including but not limited to Japan, South Korea, Singapore, India, Australia, Brazil, Canada, and the Middle East) shall comply with applicable local privacy laws governing international data transfers, ensuring an equivalent level of protection as required under such laws.

If data is fully anonymized and cannot be re-identified, it is not subject to SCCs, DPF, or other transfer mechanisms. Upon request, the Controller may review transfer mechanisms, including SCCs, BCR certifications, or DPF status. A list of subprocessors handling personal or anonymized data is maintained in Appendix C.

8. Security Measures

8.1 Compliance with Security Measures. The Processor shall implement technical and organizational safety measures as required by applicable data protection legislation and this Data Processing Agreement to ensure the security of the processed personal data.

8.2 Risk Management and Data Protection Processes. The Processor shall be responsible for ensuring that appropriate documented risk management and data protection processes are applied to the processing of personal data.

8.3 Protection of IT Systems and Data Processing Systems. Considering the sensitive nature of personal data and the risk level assessed by the Controller, the Processor shall implement effective security measures to protect IT systems, cloud infrastructure, and data processing environments. These measures shall ensure the authenticity, integrity, and availability of personal data until it is securely deleted in accordance with this Data Processing Agreement.

8.4 Prohibited Uses of Personal Data. The Processor shall not use the personal data in its personal service development or testing nor in any other personal purpose of use.

9. Data Breach Notification

9.1 Reporting Obligations. In the event of a data breach, the Processor shall:

  • The Processor shall notify the Controller of a data breach without undue delay and in compliance with applicable data protection laws. 
  • Provide the Controller with a description of the nature of the breach, categories and approximate number of affected data subjects, and recommended mitigation measures.
  • Cooperate with the Controller in investigating and mitigating the effects of the breach.

10. Retention and Deletion of Data

10.1 Retention Period. The Processor shall retain personal data only for the duration necessary to fulfill its obligations under the Agreement. 

10.2 Data Deletion. Upon termination of services, the Processor shall, at the Controller’s request, either delete or return all personal data within a reasonable timeframe, unless legal obligations require continued retention. The timeframe for such deletion or return shall be mutually agreed upon but shall not exceed e.g., 60 days from the termination date.

11. Audit Rights

11.1 Independent Audits. The Processor undergoes regular independent third-party security audits to verify compliance with industry standards for security, availability, confidentiality, and data protection.

11.2 Use of Audit Reports. The Processor shall provide the Controller with a copy of its most recent independent security audit report upon request, satisfying the Controller’s audit rights under this DPA.

11.3 Customer-Requested Audits. If the Controller reasonably requires additional verification beyond the provided audit report, the Controller may conduct an independent audit no more than once per year with 30 days' written notice. Such audits shall be limited to reviewing compliance documentation and shall not disrupt Processor operations.

11.4 Audit Costs. Each party shall bear its own costs related to an audit unless material non-compliance is found, in which case the Processor shall bear reasonable costs of the audit.

12. Term and Termination

12.1 Agreement Duration. This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller and shall automatically terminate upon expiration or termination of the main service agreement between the parties.

12.2 Early Termination. Either party may terminate this DPA with thirty (30) days' written notice if the other party is in material breach and fails to cure the breach within that period.

Termination of this DPA shall not, by itself, affect the validity or enforceability of the Terms of Service or any active Pricing Agreement between the Parties. The Client remains obligated to fulfill all payment and contractual obligations under the Pricing Agreement and the Terms of Service, regardless of the DPA’s termination.

If the termination of this DPA prevents Revieve from legally providing the Solution due to compliance with Applicable Data Protection Law, Revieve may temporarily suspend the affected portion of the Solution for up to thirty (30) days while the Parties engage in good faith negotiations to restore compliance. If compliance is not restored within this period, Revieve reserves the right to continue the suspension, renegotiate terms, or terminate the Agreement in accordance with its terms. Such suspension shall not relieve the Client of its payment obligations under the Pricing Agreement.

12.3 Surviving Obligations. The following sections shall survive termination of this Agreement: Section 4 (Confidentiality), Section 7 (Cross-Border Data Transfers), Section 9 (Data Breach Notification), and Section 10 (Retention & Deletion of Data) of the DPA; and Section 12 (Limitation of Liability) and Section 14 (Governing Law & Dispute Resolution) of the Terms.

12.4 Governing Law & Jurisdiction. This DPA shall be governed by and construed in accordance with the laws and jurisdiction set forth in Revieve’s Terms of Service, which can be accessed at https://www.revieve.com/company/terms-of-service.

13. Notices

13.1 Notices. All notices required under this DPA shall be in writing and sent via email or registered mail to the designated contacts below:


For Revieve (Solution Provider):

Email: accountsuccess@revieve.com

Address: Revieve Oy, Mannerheimintie 20A, 00100 Helsinki, Finland

For the Client:

The Client shall provide a valid contact email upon signing this Agreement.

Notices sent by email shall be deemed received on the next business day following transmission. Notices sent via registered mail shall be deemed received three (3) business days after dispatch.

Appendix A: Personal Data Categories and Processing Purposes

A.1 Personal Data Categories

Includes but is not limited to skin analysis data, anonymized behavioral data, and other information voluntarily provided by users.

A.2 Sensitive Data

The Processor acknowledges that selfie images and skin analysis data may be classified as sensitive personal data under certain Applicable Data Protection Laws. Such data is processed with enhanced security measures and deleted immediately after analysis.

A.3 Processing Purposes

Personalized beauty recommendations, customer interactions, analytics, and service improvements.

A.4 Retention Period


Data is retained for the duration of the Agreement and deleted within 90 days of termination, unless legally required to be retained.

A.5 Information Temporarily Collected and Processed

The following data is processed only for the purpose of providing the Solution and is not stored:

  • First 8 octets of the end users IP-address for country and city -level location purposes (deleted after user session closed).
  • Selfie image of end users for skin analysis purposes (deleted right after analysis completed).

A.6 Information Collected and Stored in an Anonymized Format

The following information is stored only in an anonymized format:

  • A unique identification number assigned to the e-commerce site visitor by the Processor.
  • Approximate city-level location, as determined by GeoIP.
  • Product recommendations provided to the user, linked to the Client’s product identification numbers.
  • Skincare and color cosmetics preferences selected through the Solution.
  • Environmental data, such as current weather and forecast based on location.
  • Transformed selfie data, converted into numerical scores for skin type classification.
  • Aggregated, anonymized data, which may be used for analytics, benchmarking, and service improvements, ensuring that no individual user is identifiable.

Appendix B: Security Measures

B.1 Data Encryption

AES-256 encryption is applied to stored data, and TLS 1.2+ is used for data in transit to ensure confidentiality and integrity.

B.2 Access Control

Strict access policies are enforced, including multi-factor authentication (MFA), role-based access controls (RBAC), and logging of all access events.

B.3 Monitoring & Auditing

The Processor implements continuous monitoring for unauthorized access, conducts regular security audits, and performs vulnerability scans to identify and mitigate risks.

B.4 Subprocessor Security Review

The Processor shall ensure that subprocessors maintain security standards consistent with this DPA. The Processor may conduct periodic security reviews of its subprocessors where deemed necessary based on risk assessments or regulatory requirements.

B.5 Incident Response Plan

A dedicated security response team provides 24/7 monitoring for potential security incidents. The Processor maintains an incident response plan, ensuring timely identification, containment, and reporting of security breaches.

Appendix C: Approved Subprocessors

C.1 List of Subprocessors

The current list of approved subprocessors is maintained below in this Appendix. The Processor will update this list at least 30 days before engaging a new subprocessor, in accordance with Section 6. If the Controller does not submit a written objection within this period, the new subprocessor shall be deemed approved.

Entity Name Subprocessing Activities Purpose & Additional Details Location Transfer Mechanism
Amazon Web Services, Inc. Cloud Infrastructure Hosting for Revieve static content Multiple CDN locations worldwide DPF-Certified
Google LLC (Google Cloud Platform) Cloud Infrastructure Hosting for Revieve APIs. Processing in the closest region: EU, US, or APAC (Japan). EU, US, APAC DPF-Certified
Google LLC (Google Analytics) Analytics Analyzing user interactions with our platform. Removing PII data: EU Processing EU DPF-Certified
Amplitude, Inc. Product Analytics Insights into product usage and optimization US DPF-Certified
MongoDB, Inc. Data Storage and Querying Secure storage and efficient retrieval of data EU, US & APAC DPF-Certified
AerisWeather Weather Information Providing weather data based on users' approximate location US Anonymized Data. No SCCs Required.
Maxmind, Inc. Location Services Determining users' approximate location using the first three octets of their IP address US Anonymized Data. No SCCs Required.
Functional Software, Inc. Frontend Monitoring Detecting and resolving frontend crashes and issues US Anonymized Data. No SCCs Required.

Appendix D – Data Transfer Mechanisms

D.1 Data Privacy Framework (DPF) for U.S. Transfers.

Transfers of personal data from the EEA, UK, and Switzerland to the U.S. may rely on the EU-U.S. Data Privacy Framework (DPF) if the recipient is DPF-certified (Appendix C). For transfers to these subprocessors, SCCs are not required, as the DPF ensures an adequate level of protection. The Processor shall ensure that subprocessors using the DPF maintain their certification.

D.2 SCCs for Non-U.S. Transfers.


Transfers to non-U.S. jurisdictions (e.g., APAC, South America) shall comply with the Standard Contractual Clauses (SCCs), last updated on June 4, 2021 (Appendix D). The Processor shall apply additional safeguards (e.g., encryption, pseudonymization) where necessary. The full SCC text is available at: EU Commission SCCs (June 4, 2021).

D.3 Exception for Anonymized Data.

Transfers of fully anonymized data (i.e., data that cannot be re-identified) are not subject to GDPR data transfer restrictions, including SCCs or DPF. 

By continuing to use Revieve’s services, the Controller agrees to this Data Processing Agreement.