1. Definitions
- “Applicable Data Protection Law” means the GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, the LGPD, PIPEDA, and any other data-protection or privacy law applicable to the processing.
- “Personal Data” has the meaning given in Applicable Data Protection Law and refers only to data submitted by Customer to or generated by Customer’s use of the Service.
- “Controller”, “Processor”, “Data Subject”, “Process”, and “Sub-processor” have the meanings given in the GDPR.
- “Standard Contractual Clauses” or “SCCs” means the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable.
2. Role and scope
For Personal Data Customer submits to or generates through the Service, Customer is Controller and Feedrevo is Processor. Customer instructs Feedrevo to Process Personal Data only as necessary to provide the Service in accordance with the Terms of Serviceand Customer’s documented configuration choices.
Schedule 1 sets out the subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data Processed.
3. Processing instructions
Feedrevo will Process Personal Data only on Customer’s documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by EU or Member State law to which Feedrevo is subject. In that case, Feedrevo will inform Customer of that legal requirement before Processing unless the law prohibits disclosure on important grounds of public interest.
Customer instructs Feedrevo to Process Personal Data as follows: (i) to provide the Service as configured by Customer; (ii) as further specified through Customer’s use of the Service, including Customer’s administrator settings; (iii) as documented in the Terms of Service and any order form; and (iv) as further documented in writing.
Feedrevo will inform Customer if, in Feedrevo’s opinion, an instruction infringes Applicable Data Protection Law.
4. Personnel confidentiality
Feedrevo ensures that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory, and receive appropriate data-protection training.
5. Security (Article 32)
Feedrevo implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 2. Customer is responsible for evaluating whether the Service meets Customer’s security requirements.
6. Sub-processors
Customer provides general written authorisation to engage the Sub-processors listed at feedrevo.com/subprocessors and as updated from time to time. Feedrevo will:
- Maintain the public Sub-processor list at the URL above with the legal entity name, location, and processing purpose of each Sub-processor.
- Provide at least 30 days’ advance notice of new Sub-processors via email to the address Customer designates and/or via update to the public list with an RSS or change-log mechanism.
- Allow Customer to object on legitimate grounds within the 30-day notice period; if the parties cannot agree on a remediation, Customer may terminate the affected portion of the Service for a pro-rata refund of pre-paid unused fees.
- Impose on each Sub-processor data-protection obligations no less protective than those in this DPA.
- Remain liable for the acts and omissions of each Sub-processor to the extent Feedrevo would be liable if performing the service itself.
7. Data subject rights
Taking into account the nature of the Processing, Feedrevo will assist Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer’s obligations to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law. Where the Service provides functionality enabling Customer to action a request directly, Customer will use that functionality. Where Customer cannot, Feedrevo will provide reasonable assistance at no additional charge for tasks within the Service.
8. Personal data breach
Feedrevo will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notice will include, to the extent known: (a) the nature of the breach, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address it. Feedrevo will cooperate with Customer’s reasonable requests in connection with notification to supervisory authorities and Data Subjects.
9. DPIAs and prior consultation
Feedrevo will, taking into account the nature of the Processing and the information available, provide Customer with reasonable assistance for any data protection impact assessment and prior consultation with supervisory authorities that Customer is required to carry out under Articles 35 and 36 of the GDPR.
10. Audits
Feedrevo will make available to Customer information necessary to demonstrate compliance with this DPA. Feedrevo’s then-current SOC 2 Type II report (when available) or equivalent independent third-party audit will satisfy this requirement in lieu of an on-site audit. Customer may request a remote audit no more than once per 12-month period on at least 30 days’ written notice, conducted during business hours under reasonable confidentiality terms, at Customer’s cost. On-site audits are reserved for the supervisory authority and for material, specific concerns Feedrevo cannot resolve through documentation.
11. Deletion or return on termination
On termination of the Service, Customer may export Customer Personal Data from the Service for a period of 30 days. After 30 days, Feedrevo will delete or anonymise Customer Personal Data in active systems within a further 30 days and from backups within 90 days, unless retention is required by law. On request, Feedrevo will certify deletion in writing.
12. International transfers
Customer authorises Feedrevo to transfer Personal Data outside the European Economic Area, the United Kingdom, and Switzerland as necessary to provide the Service, subject to the safeguards below. The current primary processing locations are the United States.
- EEA transfers. The SCCs, Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable, are deemed entered into between Customer (as data exporter) and Feedrevo (as data importer). The clauses of Module Two/Three apply with the following options: Clause 7 (docking) included; Clause 9(a) general authorisation with 30-day notice and a list of Sub-processors at feedrevo.com/subprocessors; Clause 11(a) optional independent dispute resolution not selected; Clause 17 option 1, governed by the law of the Republic of Ireland; Clause 18(b) courts of the Republic of Ireland.
- UK transfers. The UK Information Commissioner’s International Data Transfer Addendum is deemed entered into and incorporated by reference. Where required, Tables 1, 2, and 3 are completed by reference to the corresponding sections of this DPA and Schedules.
- Swiss transfers. The SCCs apply with: references to “Regulation (EU) 2016/679” deemed to include the Swiss FADP; references to “EU Member State” deemed to include Switzerland; competent supervisory authority is the Federal Data Protection and Information Commissioner.
- Supplementary measures. Feedrevo applies the supplementary measures in Schedule 2 (encryption, access controls, government-request transparency) consistent with the EDPB Recommendations 01/2020.
13. Liability
The liability provisions of the Terms of Service apply to this DPA. The aggregate liability cap in the Terms applies to all claims arising under this DPA, except as required to be unlimited by Applicable Data Protection Law.
14. Order of precedence
In the event of conflict between this DPA and the Terms of Service, this DPA prevails for the subject matter it covers. In the event of conflict between this DPA and the SCCs, the SCCs prevail to the extent legally required.
Schedule 1 — Processing details
| Item | Description |
|---|---|
| Subject matter | Provision of the Feedrevo Service to Customer. |
| Nature and purpose | Storage, organisation, retrieval, consultation, disclosure by transmission, alignment, and erasure of Personal Data necessary to operate the Service. |
| Duration | For the duration of the Service plus the post-termination period in Section 11. |
| Categories of Data Subjects | Customer's authorised users; team members; visitors to Customer's Pages whose data is surfaced via Meta APIs (followers, commenters, message senders, audience aggregates). |
| Categories of Personal Data | Names; email addresses; profile photos; Meta Page IDs; Meta user IDs; post and comment text; media (images, video); engagement metrics; access tokens; device and connection metadata; IP addresses; messages between Customer and Page audiences (when messaging features are enabled). |
| Sensitive Personal Data | Not knowingly Processed. Customer must not upload sensitive categories of data unless required for a contracted feature and notified to Feedrevo in advance. |
| Frequency | Continuous, on Customer's instruction. |
| Retention | Per the retention schedule in the Privacy Policy and Section 11 of this DPA. |
Schedule 2 — Technical and organisational measures
- Encryption. TLS 1.2+ for data in transit; AES-256 or equivalent for data at rest.
- Authentication and access control. Identity managed by Clerk; MFA available for Customer users and mandatory for Feedrevo personnel; SSO supported on Business plans; role-based access with least-privilege defaults.
- Secrets management. Production credentials stored in encrypted secret stores with rotation policies and audit logging.
- Network and infrastructure. Private networking between application and data tiers; isolated environments per stage; vendor-managed Postgres and Redis on Railway with point-in-time recovery.
- Logging and monitoring. Centralised application and access logs; anomaly detection; alerting on suspicious activity.
- Vulnerability management. Dependency scanning, static analysis, and a published responsible-disclosure programme at dev@feedrevo.com.
- Incident response. Documented runbook with on-call rotation; communication plan for notifying Customer within 72 hours of awareness.
- Business continuity. Automated database backups with point-in-time recovery; periodic restore tests.
- Personnel measures. Background checks where lawful; confidentiality obligations; data-protection training; access revocation on role change or departure.
- Vendor management. Sub-processors selected on the basis of equivalent security and confidentiality obligations; certifications reviewed annually where available.
- Government request handling. Subject to Schedule 3 of the SCCs, Feedrevo will challenge requests that are not legally binding, seek to narrow them, and notify Customer where lawful.
Schedule 3 — Sub-processor list
The current list of Sub-processors, with legal entity name, location, and purpose, is maintained at feedrevo.com/subprocessors.
Schedule 4 — California Service Provider Addendum
For Personal Information of California residents Processed under this DPA, Customer is the Business and Feedrevo is the Service Provider. Feedrevo:
- Will not Sell or Share Personal Information.
- Will Process Personal Information only for the limited and specified business purposes described in this DPA and the order form, and not for any further commercial purpose.
- Will not combine Personal Information received from Customer with Personal Information received from other sources, except as permitted under CCPA regulations.
- Will provide the same level of privacy protection as required of a Business under the CCPA/CPRA.
- Will assist Customer with consumer requests, including requests to know, delete, correct, opt out of Sale or Sharing, and limit use of Sensitive Personal Information.
- Will notify Customer if Feedrevo determines it can no longer meet its CCPA obligations and will take reasonable steps to stop or remediate any unauthorised use of Personal Information.
Customer may take reasonable steps to ensure Feedrevo’s use of Personal Information is consistent with the CCPA, including by reviewing Feedrevo’s SOC 2 Type II report when available.
Contact
For DPA questions or a counter-signed copy, email admin@feedrevo.com with the subject “DPA Request”.