Data Processing Addendum - Reviwise

Data Processing Addendum (DPA) Service: Reviwise – Google Review Management Platform Provider: Truezone Inc. Effective Date: [04/12/2025] Address: 1111B S Governors Ave STE 20696, Dover, DE, 19904, United States Email: support@reviwise.com This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Use or other written or electronic agreement (the "Agreement") between the customer using Reviwise (the "Controller") and Truezone Inc. ("Processor"), under which Truezone Inc. provides the Reviwise review management platform (the "Service"). This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the Service and is intended to satisfy the requirements of Applicable Data Protection Laws, including the EU General Data Protection Regulation ("GDPR"). 1. Definitions For the purposes of this DPA: - "Controller" means the business customer using Reviwise that determines the purposes and means of the processing of Personal Data. - "Processor" means Truezone Inc., which processes Personal Data on behalf of the Controller. - "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Laws. - "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction. - "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. - "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA, including, where applicable, the GDPR, UK GDPR, and similar laws. 2. Subject Matter and Nature of Processing The Processor provides the Reviwise platform, which enables the Controller to connect its Google Business Profile, monitor and respond to reviews, and access related analytics. The Processing activities include: - Collection and storage of Google Business review data and metadata. - Display of reviews and analytics to the Controller via the Service. - Facilitation of the Controller's replies to reviews. - Storage of user account and login data for platform access. - Maintenance of audit logs, usage logs, and security logs. Payment card data is processed exclusively by Stripe as an independent processor or sub-processor. Reviwise does not store full payment card details. 3. Categories of Data and Data Subjects The types of Personal Data processed may include: - Reviewer names or pseudonyms appearing on Google reviews. - Review content, ratings, and associated metadata. - Business location details for the Controller's Google Business Profile(s). - Account details of authorized users of the Service (e.g., name, email, login data). - Technical and usage logs linked to user sessions. The categories of Data Subjects may include: - Customers and reviewers posting reviews on Google Business Profiles. - Employees, contractors, or representatives of the Controller who use the Service. 4. Duration of Processing The Processor will process Personal Data for the duration of the Agreement and for as long as the Controller maintains an account on the Service, unless otherwise required by law or agreed in writing. Upon termination, Personal Data will be deleted or returned in accordance with Section 10 of this DPA. 5. Obligations of the Processor The Processor shall: - Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by law. - Ensure that persons authorized to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality. - Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures such as encryption in transit, access controls, logging, and secure hosting. - Assist the Controller, taking into account the nature of the processing, with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligations to respond to Data Subjects' requests to exercise their rights under Applicable Data Protection Laws. - Assist the Controller in ensuring compliance with security and breach notification obligations, taking into account the nature of processing and the information available to the Processor. - Upon termination of the Agreement, delete or return Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data. - Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and allow for audits or inspections, as set out in Section 9, where required by law. 6. Sub-Processors The Controller authorizes the Processor to engage Sub-Processors to support the provision of the Service. These may include: - Cloud infrastructure providers (e.g., Google Cloud Platform) for hosting and storage. - Payment processors (e.g., Stripe) for subscription billing. - Analytics and error tracking tools. - Email and notification service providers. The Processor shall enter into written agreements with Sub-Processors that impose data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations. 7. International Data Transfers Personal Data may be processed in countries outside of the Controller's country, including the United States, where the Processor and its Sub-Processors operate. Where required by Applicable Data Protection Laws, the Processor will ensure that appropriate safeguards are in place for such transfers, such as the use of Standard Contractual Clauses (SCCs), and will implement technical and organizational measures to protect Personal Data. 8. Rights of Data Subjects and Assistance to the Controller Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill its obligation to respond to requests for exercising Data Subjects' rights under Applicable Data Protection Laws, including: - Right of access. - Right to rectification. - Right to erasure. - Right to restriction of processing. - Right to data portability. - Right to object. Data Subject requests received directly by the Processor will, where reasonably identifiable, be forwarded to the Controller without undue delay. 9. Security Measures The Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures may include: - Use of HTTPS/TLS for data in transit. - Secure authentication and session management. - Access controls and role-based permissions. - Logging and monitoring of access and system events. - Regular security updates and patching. - Backups and disaster recovery procedures. 10. Personal Data Breach Notification In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach. Such notification shall include, to the extent reasonably available: - The nature of the Personal Data Breach. - The categories and approximate number of Data Subjects concerned. - The categories and approximate number of Personal Data records concerned. - The likely consequences of the Personal Data Breach. - The measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. 11. Return or Deletion of Personal Data Upon termination or expiry of the Agreement, or upon written request of the Controller, the Processor shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies, unless applicable law requires retention of such data. Deletion of Personal Data from backups will occur in accordance with the Processor's standard backup deletion and rotation policies. 12. Audits Where required by Applicable Data Protection Laws, the Controller may, at its own expense and upon reasonable written notice, conduct or request an audit (including inspection) of the Processor's data processing facilities and practices relevant to Personal Data, either by the Controller or through an independent auditor bound by confidentiality obligations, to verify the Processor's compliance with this DPA. Any audit shall be conducted during normal business hours, without unreasonable disruption to the Processor's operations, and subject to reasonable limitations to protect confidentiality and security of other customers' data and the Processor's systems. 13. Governing Law This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, USA, except where Applicable Data Protection Laws require otherwise in relation to specific data protection obligations. 14. Contact For questions regarding this DPA or data protection at Reviwise, please contact: Truezone Inc. 1111B S Governors Ave STE 20696 Dover, DE, 19904 United States Email: support@reviwise.com