Data Processing Addendum
Last updated: July 13, 2026
This Data Processing Addendum ("DPA") forms part of the Review Reacher Terms of Service between Review Reacher ("Processor") and the customer identified in the account ("Controller") and applies where Controller uploads personal data of its own customers to the Service.
1. Definitions
Terms such as "personal data", "processing", "controller", "processor", "data subject" have the meanings given in the UK GDPR and EU GDPR.
2. Roles
Controller determines the purposes and means of processing customer data uploaded to the Service. Processor processes that data only on Controller's documented instructions, which for the purposes of Article 28 GDPR are set out in the Terms and this DPA.
3. Subject matter and duration
Processing continues for the term of the Terms. Subject matter: provision of a review-request platform. Nature: collection, storage, transmission of customer contact details and message history. Categories of data subjects: Controller's own customers.
4. Types of personal data
Name, email address, phone number, tags/notes provided by Controller, last-visit dates, message send status, and any content submitted through the private feedback form.
5. Processor obligations
- Process only on documented instructions from Controller.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Annex A).
- Assist Controller with data subject rights requests where reasonably possible.
- Notify Controller without undue delay after becoming aware of a personal data breach.
- Delete or return personal data at the end of the services (30-day window), except where retention is required by law.
- Make available information necessary to demonstrate compliance and allow audits (per Section 8).
6. Sub-processors
Controller provides general authorisation for Processor to engage the sub-processors listed in the Privacy Policy. Processor will inform Controller of intended changes and Controller may object within 14 days.
7. International transfers
Where personal data is transferred outside the UK/EEA, the parties agree the UK Addendum and the EU Standard Contractual Clauses (Module 2, controller-to-processor) apply and are incorporated by reference.
8. Audits
Processor will provide independent third-party audit reports on request (e.g. SOC 2 reports of underlying infrastructure) and respond to reasonable security questionnaires no more than once per year, subject to confidentiality.
9. Liability
Each party's liability under this DPA is subject to the limitations in the Terms.
Annex A — Security measures
- TLS 1.2+ for all data in transit; AES-256 at rest.
- Row-level security isolating each business tenant.
- Role-based access control; least-privilege for staff.
- Automated backups with tested restore procedures.
- Vulnerability scanning and dependency auditing.
- Access logs and audit trails on privileged actions.