Data Protection Agreement

Last updated:

This Data Protection Agreement (the “DPA”) is incorporated into the Master Subscription Agreement, Terms of Service, or other commercial agreement with HyperCurrent, Inc. d/b/a Revenium (“Company”) pursuant to which Customer has received access to Company’s products (“MSA”). Capitalized terms have the meanings provided in the MSA defined below except as provided here.

1.1 “Breach” means a breach by Company of its security obligations in this DPA that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored or otherwise processed in Customer’s Company instance. 

1.2 “Data Protection Laws” means applicable data protection laws, including the General Data Protection Regulation 2016/679 (“GDPR”), UK Data Protection Act 2018 (“DPA 2018”), Swiss Federal Data Protection Act of 19 June 1992, and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.

1.3 “Personal Data” means any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, in each case that is processed by Company under the MSA (each such person a “data subject”). 

1.4 “Process” (whether or not capitalized) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.5 “Standard Contractual Clauses” means the (i) Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and, as applicable (ii) the UK International Data Transfer Addendum executed by and between Customer and Company and attached hereto as Exhibit A. For the purposes of the Standard Contractual Clauses, Company agrees that it is the "data importer" and Customer is the "data exporter."

2.1 Relationship of the Parties. Customer appoints Company as a processor to process Personal Data: (a) for the purposes described in the MSA, or (b) with Customer’s prior written consent (collectively the “Permitted Purpose”). Each party will comply with the obligations that apply to it under Data Protection Laws. If Company becomes aware that processing for the Permitted Purpose infringes Data Protection Laws, it will promptly inform Customer. The details of the transfer and in particular the special categories of Personal Data where applicable are specified in the attached Annex 1 and incorporated herein by this reference. 

2.2 Confidentiality of Processing. Company will treat Customer Data as Customer’s Confidential Information.  Company shall only process the Customer Data during the Subscription Term.  

2.3 Cooperation and Data Subjects' Rights. Company will provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Company, Company will promptly inform Customer providing details of the same.

2.4 Customer Data Return and Disposal.  Upon written request by Customer or the termination or expiration of the MSA, Company will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Company’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Company’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Company may retain copies of Customer Data: (x) to the extent Company has a separate legal right or obligation to retain some or all of the Customer Data; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Company’s backup policy. 

2.5 International Transfers. Company will not transfer Personal Data outside the European Economic Area (“EEA”) unless Company takes such measures designed to provide adequate protection for such Personal Data consistent with the requirements of Data Protection Laws. To the extent Company processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection (within the meaning of Data Protection Laws) by virtue of the Standard Contractual Clauses, For the purposes of the Standard Contractual Clauses: (i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Personal Data; (ii) Clause 9, Option 2 of the applicable module of the Standard Contractual Clauses shall apply and Company may engage Sub-Processors as described in Section 2.7 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the Standard Contractual Clauses shall be carried out as set out in and subject to the requirements of Section 3.1 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Personal Data will be returned or destroyed in accordance with Section 2.4 of this DPA; (vi) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (viii) the Annexes of the Standard Contractual Clauses shall be populated with the information set out in the Annexes to this Addendum. If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA regarding the transfer of Personal Data from Customer to Company, the Standard Contractual Clauses shall prevail to the extent of such conflict.

2.6 Alternative Transfer Mechanism. To the extent Company adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses) for the transfer of Personal Data ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable Data Protection Law and extends to the countries to which Personal Data of the EEA is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data (within the meaning of applicable Data Protection Law), Company may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of Personal Data.

2.7 Subprocessing.  Customer consents to Company engaging Company affiliates and third party sub-processors to process Personal Data for the Permitted Purpose provided that: (a) Company will maintain an up-to-date list of its sub-processors on its website located at www.revenium.ai/subprocessors which it will update with details of any change in sub-processors at least 30 days prior to any such change; and (b) Company will impose data protection terms on any sub-processor it appoints as required to protect Personal Data to the standard required by Data Protection Laws, including an obligation to comply with applicable Data Protection Law.  The foregoing constitutes a general authorization.  Customer may object to Company's appointment or replacement of a sub-processor prior to its appointment or replacement provided such objection is based on reasonable grounds relating to data protection within fifteen days following notice thereof. In such event, Company will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the MSA. Customer will not receive a refund of any unused prepaid fees on such termination and if fees remain unpaid for a Subscription Term, Customer will immediately pay the remaining balance due for the remainder of the subscription term.  Company will be responsible for the acts and omissions of its sub-processors in violation of this DPA. 

2.8 Data Protection Impact Assessment. Company will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under Data Protection Laws. 

2.9 Changes. If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the applicable Data Protection Laws then the parties shall use good faith efforts to agree such variations to this Agreement as may be necessary to strictly remedy such non-compliance. 

2.10 Swiss Transfers. If the transfer of Customer’s Personal Data is subject to the Swiss Federal Data Protection Act of 19 June 1992, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the Standard Contractual Clauses; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer’s Personal Data that is governed by the Swiss Federal Data Protection Act of 19 June 1992; (iii) the term ‘Member State’ in the Standard Contractual Clauses will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the Standard Contractual Clauses; and (iv) references to the ‘GDPR’ in the Standard Contractual Clauses will be understood as references to the Swiss Federal Data Protection Act of 19 June 1992 insofar as the transfer of Customer’s personal data is subject to the Swiss Federal Data Protection Act of 19 June 1992.

3.1 Audit. On Customer’s request and subject to the confidentiality obligations set forth in the MSA or an appropriate non-disclosure agreement, Company will make available to Customer a summary of security practices. Not more than once per year, Company will also respond to a Customer security questionnaire and meet by teleconference or in person (at Customer’s expense) to address follow up questions. In addition, Customer may contact Company in accordance with the MSA to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Customer and Company shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Company incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Company. Customer shall promptly notify Company with information regarding any non-compliance Company discovered during the course of an audit. Customer agrees that the Services, Security Measures implemented and maintained by Company, and Company’s commitments under this Section 3 (Company Security Measures) provide a level of security appropriate to the risk to Personal Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Personal Data as well as the risks to individuals).

3.2 Security in Company-Managed Deployments. In deployments where Company hosts the Products, Company will implement procedural, technical, and administrative safeguards on its Products and the hosting environment designed to: (a) protect from accidental or unlawful destruction of Customer Data; and (b) protect against any loss, alteration, unauthorized disclosure of or access to Customer Data in the Products including as described in Annex 2 (the "Security Measures"). The Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Company’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Company may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Products.

3.3 Compliance Certifications and SOC Reports. Company will maintain at least a SOC 2 report for the hosted Products in order to evaluate the continued effectiveness of the Security Measures (“SOC Report”).  The SOC Report will be produced by Company’s third party auditor and updated annually based on an audit performed at least once every 12 months. Company will provide details of the SOC Reports available for the Products associated with specific hosting environments on request.  Company may also add standards or replace any SOC Reports with an equivalent or enhanced alternative at any time. 

3.4 Personnel Background Checks. Prior to engaging any employee or contractor who may receive access to Customer Data Company will conduct a satisfactory background check including at least the following requirements (modified as appropriate to comply with applicable law in countries outside the United States): (a) criminal history check over the five-year period prior to the employment commencement date of such employee; and (b) verification of employment and educational history over the last five years.

3.5 Company shall ensure that persons authorized to process the Customer’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Customer shall maintain appropriate technical and organizational measures for the protection of Customer Data, including without limitation the following:

4.1 Customer Responsibilities. Customer is responsible for security relating to its environment and databases and security relating its configuration of the Products. Notwithstanding any other provision of this DPA, the MSA or any other agreement related to the Products, Company will have no obligations or liability as to any breach or loss resulting from: (x) Customer’s environment, databases, systems or Products, or (y) Customer’s security configuration or administration of the Products.

4.2 Appropriate Permissioning. Customer is solely responsible for provisioning Users on the Products, including: (a) methods of authenticating Users (such as industry-standard secure username/password policies, or two-factor authentication); (b) restricting access by User or group; (c) managing admin privileges; and (d) deauthorizing personnel who no longer need access to the Products; or (e) setting up any API usage in a secure way.

5.1 Breach Notice. If it becomes aware of a Breach, Company shall inform Customer via email without undue delay and within seventy-two (72) hours.  Company shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach. 

5.2 Cooperation. Company will provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.

6.1 Definitions. “Commercial Purpose,” “Consumer,” “Personal Information,” “Sell,” and “Service Provider” have the meanings assigned to them in the CCPA.6.2

6.2 CCPA Obligations.  If Customer Data comprises Personal Data subject to the CCPA (“CCPA Covered Data”), Company is the Service Provider and, consistent with the requirements of the CCPA, shall not (a) Sell or share the CCPA Covered Data or (b) retain, use or disclose the CCPA Covered Data:  (i) for any purpose, including any Commercial Purpose, other than for the specific purpose of providing and supporting the Products or (ii) outside of the Parties’ direct business relationship. Company certifies that it understands these restrictions and will comply with them. Company will notify Customer if it is unable to meet its obligations under the CCPA.  Company grants Customer the right to (a) take reasonable and appropriate steps to ensure that CCPA Covered Data transferred in a manner consistent with the CCPA and (b) upon notice, to take reasonable steps to stop and remediate unauthorized use of CCPA Covered Data.  Company will not combine CCPA Covered Data with any personal data Company receives from or on behalf of another person or persons or that Company collects from its interaction with a Consumer.  Company acknowledges nothing in this Paragraph removes or lessens its obligations with respect to Personal Data under the Agreement or this DPA. 6.3

6.3 Consumer Requests.  Customer will be responsible for responding to Consumer requests in relation to CCPA Covered Data (each, a “Consumer Request”).  If Company receives a Consumer Request then, to the extent legally permissible, Company will advise the Consumer to submit the Consumer Request to Customer, and Customer agrees that Company may confirm to a Consumer that the Consumer Request relates to Customer.  To the extent Customer is unable through Customer’s use of the Products to address a particular Consumer Request, Company will, upon Customer’s request and taking into account the nature of the CCPA Covered Data, provide reasonable assistance in addressing the Consumer Request (provided Company is legally permitted, and Customer has verified the request in accordance with the CCPA).

7.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if a MSA is in effect between Company and Customer. This DPA is part of the MSA and is governed by its terms and conditions (including limitations of liability set forth therein). This DPA and the MSA are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA. 

7.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect. 

7.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.

7.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the MSA. If the MSA is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

7.5 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the MSA unless otherwise required by Data Protection Laws.

Hypercurrent, Inc. - DBA Revenium

If you have questions about this Agreement, please contact us:

Email: legal@revenium.io
Mailing Address: Revenium, Inc.
13800 Coppermine Rd
Herndon, VA 20171

We will update this Data Processing Agreement from time to time to reflect changes in our practices, technology, legal requirements and other factors. If we do, we will update the “effective date” at the top of this Agreement. If we make an update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you using the email address you provided.