tERMS AND CONDITIONS
tERMS AND CONDITIONS
tERMS AND CONDITIONS
Data Protection Addendum
Data Protection Addendum
Data Protection Addendum
REVV DATA PROTECTION ADDENDUM
This Data Protection Addendum (together with its annexes, this “DPA”) forms part of the Agreement between Revv and Customer (each a “Party” and, collectively, the “Parties”) for Revv’s provision of the Services to such Customer (the “Agreement”). Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
1. Definitions
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder, in each case, as amended from time to time.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means any Customer Materials that constitute Personal Data. Customer Personal Data does not include Personal Data pertaining to end users of the Services that Revv Processes as a Controller, including Personal Data Processing subject to Revv’s privacy policy available at https://www.revvhq.com/privacy-policy.
“Data Protection Laws” [AC1] means the federal, state, provincial or local privacy, data protection and data security laws and regulations of the United States and Canada applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the CCPA and other U.S. state privacy laws, in each case, as amended from time to time. The Service may not be used to process Customer Personal Data pertaining to Data Subjects outside of the United States or Canada without Revv’s prior written consent.
“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
“Data Subject Request” means the request of a Data Subject to exercise rights under Data Protection Laws in respect of Customer Personal Data pertaining to such Data Subject in Revv’s possession, custody, or control.
“Personal Data” means information about an identified or identifiable natural person or that otherwise constitutes “personal data”, “personal information,” or information within the scope of similar terms defined in Data Protection Laws.
“Personal Data Breach” means a breach of Revv’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Revv’s possession, custody, or control.
“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of another individual or entity, which may be a Controller or another Processor.
“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Revv to Process Customer Personal Data under Revv’s care, custody, or control.
2. SCOPE OF THIS DATA PROCESSING ADDENDUM
Annex 1 (Data Processing Details) to this DPA describes the details of Revv’s Processing of Customer Personal Data and the respective roles of the Parties relating to such Processing), and Annex 2 (California Annex) and Annex 3 (Canada Annex) to this DPA apply to Revv’s Processing of Customer Personal Data in accordance with their respective terms. All other terms of this DPA apply solely with respect to Processing of Customer Personal Data subject to Data Protection Laws requiring data protection terms to be included in contracts between Customer and its Processors (or as applicable, “Service Provider”, as defined in the CCPA) or that would otherwise be violated but for the incorporation of this DPA in the Agreement.
3. PROCESSING OF CUSTOMER PERSONAL DATA
Revv shall Process Customer Personal Data only according to Customer’s instructions or as required by applicable laws. Customer instructs Revv to Process Customer Personal Data as authorized by the Agreement. The Agreement and Customer’s use of the Services’ settings and features in accordance with the Agreement are the complete expression of such instructions, and Customer’s additional instructions shall be binding on Revv only pursuant to an amendment to the Agreement signed by Revv. Where Revv receives an instruction from Customer that, in Revv’s reasonable opinion, infringes Data Protection Laws, Revv shall notify Customer. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
4. REVV PERSONNEL
Revv shall ensure that all Revv personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.
Revv shall implement and maintain the technical, organizational, and physical measures designed to protect the confidentiality, integrity, and availability of Customer Personal Data (the “Security Measures”) described in Annex 4 (Security Measures) of this DPA and any other security measures that Revv is required to maintain under Data Protection Laws. Revv may modify the Security Measures from time to time so long as the modifications do not decrease the overall protection of Customer Personal Data.
Customer is solely responsible for responding to Data Subject Requests. Considering the nature of the Processing of Customer Personal Data and employing appropriate technical and organizational measures, Revv shall provide Customer with such assistance as Customer may reasonably request in writing to enable Customer to perform its obligations under Data Protection Laws to respond to Data Subject Requests. Revv shall promptly forward to Customer any Data Subject Request that Revv receives and Revv shall not be obligated to respond to any Data Subject Request but may instruct the Data Subject to submit the request to Customer.
Revv shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Revv’s notification of or response to a Personal Data Breach shall not be construed as Revv’s acknowledgement of any fault or liability with respect to the Personal Data Breach. If Customer determines that notice of a Personal Data Breach must be given to any governmental authority, any Data Subject, the public or others in a manner that directly or indirectly refers to or identifies Revv, where permitted by applicable laws, Customer shall notify Revv prior to giving such notice and in good faith consult with Revv regarding such notice and consider any clarifications or corrections that Revv may reasonably request.
a. Authorization; Current Subprocessors. Customer generally authorizes Revv to engage Subprocessors in accordance with this Section 8, including the Subprocessors listed at the following web page or such other web page as Revv may provide to Customer from time to time: revvhq.com/terms-and-conditions/data-protection-addendum/sub-processors, the “Subprocessor Page”).
b. Requirements. Revv shall ensure each Subprocessor is bound by a written contract imposing on such Subprocessor data protection obligations at least as protective as those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides. Revv shall be liable for all Processing of Customer Personal Data delegated to the Subprocessor and its actions and omissions related thereto.
c. New Subprocessors. When Revv engages any new Subprocessor not listed on the Subprocessor Page as of the date of this DPA, Revv shall notify Customer of the engagement (including the name, location, and function of the Subprocessor) by updating the Subprocessor Page or by other written means at least 15 days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to Revv within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Revv shall work together in good faith to resolve such objection in a mutually acceptable manner. If the Parties are unable to reach a mutually acceptable resolution within a mutually acceptable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Revv and paying Revv for all amounts due and owing under the Agreement as of the date of such termination.
9. COMPLIANCE SUPPORT
Taking into account the nature of the Processing and the information available to Revv, Revv shall provide such information as Customer may reasonably request to enable Customer to perform its obligations under Data Protection Laws in relation to Revv’s Processing of Customer Personal Data, including in relation to (i) the security of Customer Personal Data, (ii) the investigation and reporting of Personal Data Breaches, (iii) the demonstration of Revv’s compliance with this DPA or Data Protection Laws, and (iv) the performance of any data protection assessments and consultations with governmental authorities regarding such assessments in relation to Revv’s Processing of Customer Personal Data.
Customer hereby directs Revv, and Revv agrees, to delete Customer Personal Data in Revv’s care, custody, or control upon expiration or earlier termination of the Agreement in accordance with Agreement’s provisions for the post-termination deletion of Customer Materials.
11. ADDITIONAL ASSISTANCE
If Customer requests information or assistance pursuant to Sections 6, 9, or 10 of this DPA beyond Revv’s provision of self-service features as part of the Services that Customer can use to obtain the requested information or assistance, then Customer shall reimburse Revv for any costs and expenses reasonably incurred by Revv in the course of responding to such requests and Revv reserves the right to charge its applicable fees for professional services required to fulfill such requests.
12. PRECEDENCE; MISCELLANEOUS
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall govern. References to “including” mean “including, without limitation”.
Annex 1 – Data Processing Details
Role: Customer is Controller and Revv is Processor
Categories of Data Subjects: Customer’s auto repair customers
Categories of Customer Personal Data: Name, contact details, vehicle identification number, vehicle characteristics
Nature of the Processing: Provision of cloud-based enterprise software to facilitate preparation of auto repair estimates
Purpose of the Processing: Provision of the Services
Annex 2 – California Annex
This Annex 2 (California Annex) applies only to Revv’s Processing of Customer Personal Data subject to the CCPA.
1. Capitalized terms used in this California Annex but not defined in the DPA shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.
2. It is the Parties’ intent that Revv is a Service Provider with respect to its Processing of Personal Information. Revv (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described Annex 1 (Data Processing Details) to this DPA; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that Revv’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Revv that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
3. Revv shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Revv and Customer; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Revv’s own interaction with any Consumer to whom such Personal Information pertains. Revv hereby certifies that it understands its obligations under this paragraph and shall comply with them.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Revv’s obligation under the CCPA to give notice of such engagements.
5. The Parties acknowledge that Revv’s Processing of Personal Information authorized by Customer’s instructions described in this DPA is integral to the Services and the Parties’ business relationship.
Annex 3 – Canada Annex
This Annex 3 (Canada Annex) applies only to Processing of Customer Personal Data subject to the Data Protection Laws in Canada.
Customer shall notify Data Subjects that Personal Data pertaining to them may be transferred and stored outside of Canada and accessible to courts, law enforcement and national authorities in other countries. Customer will obtain any consents, if required by the Data Protection Laws of Canada, for Revv to transfer the Customer Personal Data outside Canada and/or outside the Canadian province where Customer and/or the Data Subjects are located.
1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Revv’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Revv’s organization, monitoring and maintaining compliance with Revv’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Revv’s possession.
8. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Revv’s technology and information assets.
9. Incident management procedures designed to allow Revv to investigate, respond to, mitigate, and notify of events related to Revv’s technology and information assets.
10. Network security controls and procedures for network services and components.
11. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
12. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.
REVV DATA PROTECTION ADDENDUM
This Data Protection Addendum (together with its annexes, this “DPA”) forms part of the Agreement between Revv and Customer (each a “Party” and, collectively, the “Parties”) for Revv’s provision of the Services to such Customer (the “Agreement”). Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
1. Definitions
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder, in each case, as amended from time to time.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means any Customer Materials that constitute Personal Data. Customer Personal Data does not include Personal Data pertaining to end users of the Services that Revv Processes as a Controller, including Personal Data Processing subject to Revv’s privacy policy available at https://www.revvhq.com/privacy-policy.
“Data Protection Laws” [AC1] means the federal, state, provincial or local privacy, data protection and data security laws and regulations of the United States and Canada applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the CCPA and other U.S. state privacy laws, in each case, as amended from time to time. The Service may not be used to process Customer Personal Data pertaining to Data Subjects outside of the United States or Canada without Revv’s prior written consent.
“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
“Data Subject Request” means the request of a Data Subject to exercise rights under Data Protection Laws in respect of Customer Personal Data pertaining to such Data Subject in Revv’s possession, custody, or control.
“Personal Data” means information about an identified or identifiable natural person or that otherwise constitutes “personal data”, “personal information,” or information within the scope of similar terms defined in Data Protection Laws.
“Personal Data Breach” means a breach of Revv’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Revv’s possession, custody, or control.
“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of another individual or entity, which may be a Controller or another Processor.
“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Revv to Process Customer Personal Data under Revv’s care, custody, or control.
2. SCOPE OF THIS DATA PROCESSING ADDENDUM
Annex 1 (Data Processing Details) to this DPA describes the details of Revv’s Processing of Customer Personal Data and the respective roles of the Parties relating to such Processing), and Annex 2 (California Annex) and Annex 3 (Canada Annex) to this DPA apply to Revv’s Processing of Customer Personal Data in accordance with their respective terms. All other terms of this DPA apply solely with respect to Processing of Customer Personal Data subject to Data Protection Laws requiring data protection terms to be included in contracts between Customer and its Processors (or as applicable, “Service Provider”, as defined in the CCPA) or that would otherwise be violated but for the incorporation of this DPA in the Agreement.
3. PROCESSING OF CUSTOMER PERSONAL DATA
Revv shall Process Customer Personal Data only according to Customer’s instructions or as required by applicable laws. Customer instructs Revv to Process Customer Personal Data as authorized by the Agreement. The Agreement and Customer’s use of the Services’ settings and features in accordance with the Agreement are the complete expression of such instructions, and Customer’s additional instructions shall be binding on Revv only pursuant to an amendment to the Agreement signed by Revv. Where Revv receives an instruction from Customer that, in Revv’s reasonable opinion, infringes Data Protection Laws, Revv shall notify Customer. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
4. REVV PERSONNEL
Revv shall ensure that all Revv personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.
Revv shall implement and maintain the technical, organizational, and physical measures designed to protect the confidentiality, integrity, and availability of Customer Personal Data (the “Security Measures”) described in Annex 4 (Security Measures) of this DPA and any other security measures that Revv is required to maintain under Data Protection Laws. Revv may modify the Security Measures from time to time so long as the modifications do not decrease the overall protection of Customer Personal Data.
Customer is solely responsible for responding to Data Subject Requests. Considering the nature of the Processing of Customer Personal Data and employing appropriate technical and organizational measures, Revv shall provide Customer with such assistance as Customer may reasonably request in writing to enable Customer to perform its obligations under Data Protection Laws to respond to Data Subject Requests. Revv shall promptly forward to Customer any Data Subject Request that Revv receives and Revv shall not be obligated to respond to any Data Subject Request but may instruct the Data Subject to submit the request to Customer.
Revv shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Revv’s notification of or response to a Personal Data Breach shall not be construed as Revv’s acknowledgement of any fault or liability with respect to the Personal Data Breach. If Customer determines that notice of a Personal Data Breach must be given to any governmental authority, any Data Subject, the public or others in a manner that directly or indirectly refers to or identifies Revv, where permitted by applicable laws, Customer shall notify Revv prior to giving such notice and in good faith consult with Revv regarding such notice and consider any clarifications or corrections that Revv may reasonably request.
a. Authorization; Current Subprocessors. Customer generally authorizes Revv to engage Subprocessors in accordance with this Section 8, including the Subprocessors listed at the following web page or such other web page as Revv may provide to Customer from time to time: revvhq.com/terms-and-conditions/data-protection-addendum/sub-processors, the “Subprocessor Page”).
b. Requirements. Revv shall ensure each Subprocessor is bound by a written contract imposing on such Subprocessor data protection obligations at least as protective as those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides. Revv shall be liable for all Processing of Customer Personal Data delegated to the Subprocessor and its actions and omissions related thereto.
c. New Subprocessors. When Revv engages any new Subprocessor not listed on the Subprocessor Page as of the date of this DPA, Revv shall notify Customer of the engagement (including the name, location, and function of the Subprocessor) by updating the Subprocessor Page or by other written means at least 15 days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to Revv within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Revv shall work together in good faith to resolve such objection in a mutually acceptable manner. If the Parties are unable to reach a mutually acceptable resolution within a mutually acceptable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Revv and paying Revv for all amounts due and owing under the Agreement as of the date of such termination.
9. COMPLIANCE SUPPORT
Taking into account the nature of the Processing and the information available to Revv, Revv shall provide such information as Customer may reasonably request to enable Customer to perform its obligations under Data Protection Laws in relation to Revv’s Processing of Customer Personal Data, including in relation to (i) the security of Customer Personal Data, (ii) the investigation and reporting of Personal Data Breaches, (iii) the demonstration of Revv’s compliance with this DPA or Data Protection Laws, and (iv) the performance of any data protection assessments and consultations with governmental authorities regarding such assessments in relation to Revv’s Processing of Customer Personal Data.
Customer hereby directs Revv, and Revv agrees, to delete Customer Personal Data in Revv’s care, custody, or control upon expiration or earlier termination of the Agreement in accordance with Agreement’s provisions for the post-termination deletion of Customer Materials.
11. ADDITIONAL ASSISTANCE
If Customer requests information or assistance pursuant to Sections 6, 9, or 10 of this DPA beyond Revv’s provision of self-service features as part of the Services that Customer can use to obtain the requested information or assistance, then Customer shall reimburse Revv for any costs and expenses reasonably incurred by Revv in the course of responding to such requests and Revv reserves the right to charge its applicable fees for professional services required to fulfill such requests.
12. PRECEDENCE; MISCELLANEOUS
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall govern. References to “including” mean “including, without limitation”.
Annex 1 – Data Processing Details
Role: Customer is Controller and Revv is Processor
Categories of Data Subjects: Customer’s auto repair customers
Categories of Customer Personal Data: Name, contact details, vehicle identification number, vehicle characteristics
Nature of the Processing: Provision of cloud-based enterprise software to facilitate preparation of auto repair estimates
Purpose of the Processing: Provision of the Services
Annex 2 – California Annex
This Annex 2 (California Annex) applies only to Revv’s Processing of Customer Personal Data subject to the CCPA.
1. Capitalized terms used in this California Annex but not defined in the DPA shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.
2. It is the Parties’ intent that Revv is a Service Provider with respect to its Processing of Personal Information. Revv (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described Annex 1 (Data Processing Details) to this DPA; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that Revv’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Revv that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
3. Revv shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Revv and Customer; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Revv’s own interaction with any Consumer to whom such Personal Information pertains. Revv hereby certifies that it understands its obligations under this paragraph and shall comply with them.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Revv’s obligation under the CCPA to give notice of such engagements.
5. The Parties acknowledge that Revv’s Processing of Personal Information authorized by Customer’s instructions described in this DPA is integral to the Services and the Parties’ business relationship.
Annex 3 – Canada Annex
This Annex 3 (Canada Annex) applies only to Processing of Customer Personal Data subject to the Data Protection Laws in Canada.
Customer shall notify Data Subjects that Personal Data pertaining to them may be transferred and stored outside of Canada and accessible to courts, law enforcement and national authorities in other countries. Customer will obtain any consents, if required by the Data Protection Laws of Canada, for Revv to transfer the Customer Personal Data outside Canada and/or outside the Canadian province where Customer and/or the Data Subjects are located.
1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Revv’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Revv’s organization, monitoring and maintaining compliance with Revv’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Revv’s possession.
8. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Revv’s technology and information assets.
9. Incident management procedures designed to allow Revv to investigate, respond to, mitigate, and notify of events related to Revv’s technology and information assets.
10. Network security controls and procedures for network services and components.
11. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
12. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.
REVV DATA PROTECTION ADDENDUM
This Data Protection Addendum (together with its annexes, this “DPA”) forms part of the Agreement between Revv and Customer (each a “Party” and, collectively, the “Parties”) for Revv’s provision of the Services to such Customer (the “Agreement”). Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
1. Definitions
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder, in each case, as amended from time to time.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means any Customer Materials that constitute Personal Data. Customer Personal Data does not include Personal Data pertaining to end users of the Services that Revv Processes as a Controller, including Personal Data Processing subject to Revv’s privacy policy available at https://www.revvhq.com/privacy-policy.
“Data Protection Laws” [AC1] means the federal, state, provincial or local privacy, data protection and data security laws and regulations of the United States and Canada applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the CCPA and other U.S. state privacy laws, in each case, as amended from time to time. The Service may not be used to process Customer Personal Data pertaining to Data Subjects outside of the United States or Canada without Revv’s prior written consent.
“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
“Data Subject Request” means the request of a Data Subject to exercise rights under Data Protection Laws in respect of Customer Personal Data pertaining to such Data Subject in Revv’s possession, custody, or control.
“Personal Data” means information about an identified or identifiable natural person or that otherwise constitutes “personal data”, “personal information,” or information within the scope of similar terms defined in Data Protection Laws.
“Personal Data Breach” means a breach of Revv’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Revv’s possession, custody, or control.
“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of another individual or entity, which may be a Controller or another Processor.
“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Revv to Process Customer Personal Data under Revv’s care, custody, or control.
2. SCOPE OF THIS DATA PROCESSING ADDENDUM
Annex 1 (Data Processing Details) to this DPA describes the details of Revv’s Processing of Customer Personal Data and the respective roles of the Parties relating to such Processing), and Annex 2 (California Annex) and Annex 3 (Canada Annex) to this DPA apply to Revv’s Processing of Customer Personal Data in accordance with their respective terms. All other terms of this DPA apply solely with respect to Processing of Customer Personal Data subject to Data Protection Laws requiring data protection terms to be included in contracts between Customer and its Processors (or as applicable, “Service Provider”, as defined in the CCPA) or that would otherwise be violated but for the incorporation of this DPA in the Agreement.
3. PROCESSING OF CUSTOMER PERSONAL DATA
Revv shall Process Customer Personal Data only according to Customer’s instructions or as required by applicable laws. Customer instructs Revv to Process Customer Personal Data as authorized by the Agreement. The Agreement and Customer’s use of the Services’ settings and features in accordance with the Agreement are the complete expression of such instructions, and Customer’s additional instructions shall be binding on Revv only pursuant to an amendment to the Agreement signed by Revv. Where Revv receives an instruction from Customer that, in Revv’s reasonable opinion, infringes Data Protection Laws, Revv shall notify Customer. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
4. REVV PERSONNEL
Revv shall ensure that all Revv personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.
Revv shall implement and maintain the technical, organizational, and physical measures designed to protect the confidentiality, integrity, and availability of Customer Personal Data (the “Security Measures”) described in Annex 4 (Security Measures) of this DPA and any other security measures that Revv is required to maintain under Data Protection Laws. Revv may modify the Security Measures from time to time so long as the modifications do not decrease the overall protection of Customer Personal Data.
Customer is solely responsible for responding to Data Subject Requests. Considering the nature of the Processing of Customer Personal Data and employing appropriate technical and organizational measures, Revv shall provide Customer with such assistance as Customer may reasonably request in writing to enable Customer to perform its obligations under Data Protection Laws to respond to Data Subject Requests. Revv shall promptly forward to Customer any Data Subject Request that Revv receives and Revv shall not be obligated to respond to any Data Subject Request but may instruct the Data Subject to submit the request to Customer.
Revv shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Revv’s notification of or response to a Personal Data Breach shall not be construed as Revv’s acknowledgement of any fault or liability with respect to the Personal Data Breach. If Customer determines that notice of a Personal Data Breach must be given to any governmental authority, any Data Subject, the public or others in a manner that directly or indirectly refers to or identifies Revv, where permitted by applicable laws, Customer shall notify Revv prior to giving such notice and in good faith consult with Revv regarding such notice and consider any clarifications or corrections that Revv may reasonably request.
a. Authorization; Current Subprocessors. Customer generally authorizes Revv to engage Subprocessors in accordance with this Section 8, including the Subprocessors listed at the following web page or such other web page as Revv may provide to Customer from time to time: revvhq.com/terms-and-conditions/data-protection-addendum/sub-processors, the “Subprocessor Page”).
b. Requirements. Revv shall ensure each Subprocessor is bound by a written contract imposing on such Subprocessor data protection obligations at least as protective as those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides. Revv shall be liable for all Processing of Customer Personal Data delegated to the Subprocessor and its actions and omissions related thereto.
c. New Subprocessors. When Revv engages any new Subprocessor not listed on the Subprocessor Page as of the date of this DPA, Revv shall notify Customer of the engagement (including the name, location, and function of the Subprocessor) by updating the Subprocessor Page or by other written means at least 15 days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to Revv within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Revv shall work together in good faith to resolve such objection in a mutually acceptable manner. If the Parties are unable to reach a mutually acceptable resolution within a mutually acceptable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Revv and paying Revv for all amounts due and owing under the Agreement as of the date of such termination.
9. COMPLIANCE SUPPORT
Taking into account the nature of the Processing and the information available to Revv, Revv shall provide such information as Customer may reasonably request to enable Customer to perform its obligations under Data Protection Laws in relation to Revv’s Processing of Customer Personal Data, including in relation to (i) the security of Customer Personal Data, (ii) the investigation and reporting of Personal Data Breaches, (iii) the demonstration of Revv’s compliance with this DPA or Data Protection Laws, and (iv) the performance of any data protection assessments and consultations with governmental authorities regarding such assessments in relation to Revv’s Processing of Customer Personal Data.
Customer hereby directs Revv, and Revv agrees, to delete Customer Personal Data in Revv’s care, custody, or control upon expiration or earlier termination of the Agreement in accordance with Agreement’s provisions for the post-termination deletion of Customer Materials.
11. ADDITIONAL ASSISTANCE
If Customer requests information or assistance pursuant to Sections 6, 9, or 10 of this DPA beyond Revv’s provision of self-service features as part of the Services that Customer can use to obtain the requested information or assistance, then Customer shall reimburse Revv for any costs and expenses reasonably incurred by Revv in the course of responding to such requests and Revv reserves the right to charge its applicable fees for professional services required to fulfill such requests.
12. PRECEDENCE; MISCELLANEOUS
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall govern. References to “including” mean “including, without limitation”.
Annex 1 – Data Processing Details
Role: Customer is Controller and Revv is Processor
Categories of Data Subjects: Customer’s auto repair customers
Categories of Customer Personal Data: Name, contact details, vehicle identification number, vehicle characteristics
Nature of the Processing: Provision of cloud-based enterprise software to facilitate preparation of auto repair estimates
Purpose of the Processing: Provision of the Services
Annex 2 – California Annex
This Annex 2 (California Annex) applies only to Revv’s Processing of Customer Personal Data subject to the CCPA.
1. Capitalized terms used in this California Annex but not defined in the DPA shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.
2. It is the Parties’ intent that Revv is a Service Provider with respect to its Processing of Personal Information. Revv (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described Annex 1 (Data Processing Details) to this DPA; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that Revv’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Revv that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
3. Revv shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Revv and Customer; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Revv’s own interaction with any Consumer to whom such Personal Information pertains. Revv hereby certifies that it understands its obligations under this paragraph and shall comply with them.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Revv’s obligation under the CCPA to give notice of such engagements.
5. The Parties acknowledge that Revv’s Processing of Personal Information authorized by Customer’s instructions described in this DPA is integral to the Services and the Parties’ business relationship.
Annex 3 – Canada Annex
This Annex 3 (Canada Annex) applies only to Processing of Customer Personal Data subject to the Data Protection Laws in Canada.
Customer shall notify Data Subjects that Personal Data pertaining to them may be transferred and stored outside of Canada and accessible to courts, law enforcement and national authorities in other countries. Customer will obtain any consents, if required by the Data Protection Laws of Canada, for Revv to transfer the Customer Personal Data outside Canada and/or outside the Canadian province where Customer and/or the Data Subjects are located.
1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Revv’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Revv’s organization, monitoring and maintaining compliance with Revv’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Revv’s possession.
8. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Revv’s technology and information assets.
9. Incident management procedures designed to allow Revv to investigate, respond to, mitigate, and notify of events related to Revv’s technology and information assets.
10. Network security controls and procedures for network services and components.
11. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
12. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.