RP
RevenueProven

Data Processing Addendum

Last updated: March 14, 2026

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual
  • Data Controller: The customer — determines purposes and means of processing
  • Data Processor: RevenueProven — processes data on behalf of the controller
  • Processing: Any operation performed on personal data
  • Data Subject: An individual whose personal data is processed
  • Sub-Processor: A third party engaged by the processor
  • Supervisory Authority: An independent public body responsible for data protection
  • GDPR: General Data Protection Regulation (EU) 2016/679
  • PDPA: Personal Data Protection Act 2012 (Singapore)

2. Scope and Roles

This DPA applies when RevenueProven processes Personal Data on behalf of the customer. The customer is the Data Controller. RevenueProven is the Data Processor. This DPA supplements the Terms of Service.

3. Processing Instructions

We process Personal Data only on the customer's documented instructions. We do not process data for our own purposes beyond providing the service. If we believe an instruction violates data protection law, we notify the customer.

Types of data processed include: company names, contact information from your CRM, ad engagement data, and deal values.

4. Sub-Processors

Current Sub-Processors include:

  • Cloud hosting provider (infrastructure)
  • Paddle (payment processing)
  • Resend (transactional email)
  • LinkedIn API (data source)
  • HubSpot API (data source)

We notify customers before adding new Sub-Processors. A 30-day notice period is provided for objections. We ensure Sub-Processors are bound by equivalent data protection obligations.

5. Security Measures

Technical Measures

  • AES-256-GCM encryption for OAuth tokens
  • TLS 1.2+ for data in transit
  • Database encryption at rest
  • Access logging

Organizational Measures

  • Role-based access control
  • Regular security reviews
  • Incident response procedures
  • Employee confidentiality obligations

6. Breach Notification

We notify the customer within 72 hours of becoming aware of a Personal Data breach. Notification includes:

  • Nature of the breach
  • Categories of data affected
  • Approximate number of records
  • Likely consequences
  • Measures taken to mitigate

We cooperate with the customer's breach response obligations.

7. International Transfers

Personal Data may be transferred outside the customer's jurisdiction. We use Standard Contractual Clauses (SCCs) where required by GDPR. We ensure adequate protection for all international transfers. The customer consents to transfers described in this DPA.

8. GDPR and PDPA Alignment

GDPR: We support the customer's obligations under Articles 28, 32–36.

PDPA: We comply with Singapore's PDPA obligations.

We assist with Data Subject Access Requests (DSARs) — response within 30 days. We support the customer's right to audit (with reasonable notice and during business hours). We maintain records of processing activities.

9. Term and Termination

This DPA remains in effect for the duration of the Terms of Service. On termination:

  • Delete customer Personal Data within 30 days
  • Customer may request data export before deletion
  • We may retain data where required by law (with notification)
  • Obligations of confidentiality survive termination