Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service, order form, subscription agreement, statement of work, or other written agreement between Revscale Technologies, Inc. (“Revscale”) and the customer identified in the applicable agreement (“Customer”) governing Customer’s access to or use of Revscale’s AI-agent platform, software, tools, integrations, workflows, dashboards, and related services (collectively, the “Services”).

This DPA is intended to allocate privacy and data-processing responsibilities between Revscale and Customer.

1. Definitions

“Applicable Data Protection Laws” means privacy, data protection, security, marketing, electronic communications, artificial intelligence, biometric, call-recording, telemarketing, consumer-protection, and breach-notification laws applicable to a party’s processing of Personal Data under the Agreement, which may include the CCPA/CPRA, other U.S. state privacy laws, the GDPR, UK GDPR, ePrivacy rules, CAN-SPAM, TCPA, TSR, CASL, and similar laws, to the extent applicable.

“Customer Personal Data” means Personal Data contained in Customer Content or otherwise processed by Revscale on behalf of Customer through the Services, including lead, prospect, visitor, caller, chat, CRM, outreach, suppression, transcript, recording, knowledge base, and agent activity data.

“Controller,” “Processor,” “Business,” “Service Provider,” “Sell,” “Share,” “Personal Data,” “Personal Information,” “Processing,” and related terms have the meanings given under Applicable Data Protection Laws.

2. Roles of the Parties

For Customer Personal Data processed on Customer’s behalf, Customer is the controller or business and Revscale is the processor or service provider, except where Revscale independently determines the purposes and means of processing, including for account administration, security, billing, compliance, fraud prevention, legal claims, service analytics, and business operations.

Customer is responsible for determining whether the Services are appropriate for Customer’s intended use and for providing lawful instructions to Revscale. Revscale will process Customer Personal Data in accordance with Customer’s documented instructions, the Agreement, this DPA, product settings, Customer’s configuration choices, and Applicable Data Protection Laws.

3. Subject Matter, Duration, Nature, and Purpose of Processing

The subject matter of processing is Revscale’s provision of AI-agent, outreach, CRM, chatbot, voice, web pixel, knowledge base, dashboard, enrichment, automation, analytics, support, security, and related services to Customer.

The duration of processing is the term of the Agreement plus any post-termination period needed for deletion, export, audit, backup retention, dispute resolution, legal compliance, security, billing, and ordinary business recordkeeping.

The nature and purpose of processing includes receiving, hosting, organizing, analyzing, enriching, routing, scoring, generating, transmitting, displaying, recording, transcribing, storing, securing, debugging, supporting, and otherwise processing Customer Personal Data to provide, operate, maintain, secure, improve, and support the Services.

4. Categories of Personal Data and Data Subjects

Customer Personal Data may include business contact information, account credentials, lead and prospect data, customer or visitor data, IP addresses and device identifiers, CRM records, messages, email activity, LinkedIn-related activity, call recordings, call metadata, transcripts, chatbot interactions, website pixel events, suppression-list entries, uploaded knowledge base documents, training rules, agent configurations, performance analytics, and billing-related information.

Data subjects may include Customer personnel, authorized users, franchisors, franchisees, agencies, parent-company personnel, affiliates, location operators, leads, prospects, website visitors, callers, chat users, customers, business contacts, vendors, and other individuals whose data is submitted to or processed through the Services.

5. Customer Responsibilities

Customer is responsible for the lawfulness, accuracy, quality, and appropriateness of Customer Personal Data and Customer’s instructions. Customer will obtain and maintain all notices, consents, opt-ins, permissions, registrations, lawful bases, contractual rights, and authorizations required for Revscale to process Customer Personal Data and operate the configured agents, workflows, integrations, communications, tracking tools, and outreach systems.

Customer is responsible for compliance with marketing, privacy, AI, telemarketing, call recording, email, SMS, employment, health, financial, franchise, industry-specific, and consumer-protection laws applicable to Customer’s use of the Services. Customer will not submit regulated, sensitive, high-risk, or restricted data unless permitted by the Agreement and configured with appropriate controls.

6. Revscale Processing Obligations

Revscale will process Customer Personal Data only as reasonably necessary to provide, operate, secure, support, troubleshoot, analyze, maintain, and improve the Services; comply with law; enforce the Agreement; prevent abuse; protect rights and safety; and perform other purposes permitted by the Agreement or this DPA.

Revscale will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

7. Subprocessors

Customer authorizes Revscale to use subprocessors and service providers to provide and support the Services, including infrastructure, hosting, cloud storage, analytics, communications, email, voice, SMS, CRM, enrichment, AI model, monitoring, payment, support, security, and integration providers.

Revscale will impose written obligations on subprocessors that are designed to protect Customer Personal Data in a manner materially consistent with this DPA, taking into account the nature of the services provided by the subprocessor. Revscale remains responsible for its subprocessors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Laws.

8. Third-Party Platforms and Customer-Connected Accounts

The Services may connect to third-party platforms, APIs, accounts, tools, and vendors selected, authorized, or configured by Customer, including email providers, CRM systems, LinkedIn-related tools, telephony providers, web analytics tools, enrichment vendors, chatbot systems, payment tools, and workflow platforms. Revscale is not responsible for third-party platform policies, outages, limits, enforcement decisions, data practices, account restrictions, deliverability issues, or changes to API functionality.

Customer is responsible for its relationships with third-party platforms and for ensuring that Customer’s use of connected accounts complies with applicable third-party terms and laws.

9. Enterprise, Franchise, Agency, and Network Administration

If Customer participates in or administers an enterprise, franchise, agency, white-label, dealer, affiliate, parent-company, or network account structure, Customer authorizes designated corporate, parent, franchisor, agency, white-label, or network administrators to access, monitor, configure, audit, export, manage, and support location-level accounts and related data, including leads, transcripts, recordings, performance, CRM data, agent activity, settings, knowledge base usage, blacklists, suppression lists, reports, and billing information.

Corporate-level or parent-level settings may override location-level settings. Revscale may rely on instructions from the corporate, franchisor, agency, white-label, parent, or network administrator. Revscale is not responsible for disputes between franchisors, franchisees, agencies, dealers, parent entities, affiliates, locations, or other related parties regarding data access, lead ownership, billing, brand rules, or system usage.

10. Security Measures

Revscale will maintain administrative, technical, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, and disclosure. These safeguards may include access controls, encryption in transit where reasonably available, authentication controls, logging, monitoring, least-privilege practices, personnel confidentiality obligations, backup controls, and vendor-risk processes appropriate to the nature of the Services.

Customer is responsible for maintaining the security of its accounts, credentials, connected accounts, user permissions, devices, integrations, and configuration choices.

11. Security Incidents

Revscale will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, as required by Applicable Data Protection Laws. “Security Incident” means a confirmed unauthorized access to, acquisition of, or disclosure of Customer Personal Data processed by Revscale as processor or service provider. Unsuccessful login attempts, scans, pings, denial-of-service attempts, and similar events that do not result in unauthorized access to Customer Personal Data are not Security Incidents.

Revscale will provide information reasonably available to Revscale to assist Customer with Customer’s legally required notice obligations. Customer is responsible for determining whether notice is required to regulators, individuals, customers, franchisees, locations, or other third parties.

12. Data Subject Requests

Taking into account the nature of processing and the functionality of the Services, Revscale will provide reasonable assistance to Customer for responding to valid data subject requests concerning Customer Personal Data. Customer is responsible for verifying, evaluating, and responding to such requests unless Revscale is legally required to respond directly.

13. Assistance and Assessments

Revscale will provide reasonable information and assistance, at Customer’s written request and expense, as necessary for Customer to meet applicable obligations relating to privacy assessments, data protection impact assessments, security reviews, regulatory inquiries, and consultations with authorities, to the extent such assistance relates to Revscale’s processing of Customer Personal Data and is not available through the Services or Revscale’s standard documentation.

14. Audits

Upon reasonable written request, and subject to confidentiality, security, operational, and legal limitations, Revscale will make available information reasonably necessary to demonstrate compliance with this DPA. Revscale may satisfy audit obligations by providing security documentation, questionnaires, summaries, policies, certifications, third-party audit reports, or equivalent materials. On-site audits are disfavored and may be subject to separate fees, reasonable scope limits, advance notice, confidentiality obligations, and restrictions designed to protect other customers and Revscale systems.

15. Deletion and Return

Upon termination or expiration of the Agreement, Customer may request export or deletion of Customer Personal Data as provided in the Agreement and as supported by the Services. Revscale may retain Customer Personal Data as necessary for backups, legal compliance, dispute resolution, fraud prevention, security, billing, accounting, enforcement, audit logs, and ordinary business records, subject to applicable retention limits.

16. Aggregated and De-Identified Data

Revscale may create, use, retain, disclose, and commercialize aggregated, anonymized, or de-identified data derived from the Services for analytics, benchmarking, product improvement, internal AI evaluation, internal model improvement, safety systems, business intelligence, and other lawful business purposes, provided such data does not identify Customer or an individual in violation of Applicable Data Protection Laws.

Enterprise customers may negotiate or opt out of certain aggregated or de-identified AI training uses, but such opt-out does not restrict operational processing, security, billing, abuse prevention, support, service analytics, debugging, legal compliance, or processing required to provide the Services.

17. AI Systems and Model Providers

Revscale may process Customer Personal Data through AI models, large language models, speech-to-text systems, text-to-speech systems, retrieval systems, classifiers, scoring systems, automation tools, and other automated systems to provide the Services. Revscale does not permit third-party foundation-model providers to train their general models on raw Customer Content unless disclosed, enabled by Customer, or separately agreed.

18. International Transfers

Revscale and its subprocessors may process Customer Personal Data in the United States and other jurisdictions where they operate. Where required by Applicable Data Protection Laws, the parties will use appropriate transfer mechanisms, which may include the EU Standard Contractual Clauses, the UK Addendum, adequacy decisions, or other lawful transfer tools.

19. U.S. State Privacy Terms

To the extent Revscale processes Personal Information as a service provider or processor under U.S. state privacy laws, Revscale will not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data outside the business purposes permitted by the Agreement, or combine Customer Personal Data with personal information from other sources except as permitted by Applicable Data Protection Laws.

Customer acknowledges that Revscale may use subprocessors and may process Customer Personal Data for permitted business purposes, including providing, maintaining, securing, debugging, improving, and supporting the Services.

20. Conflict

If this DPA conflicts with the Agreement, this DPA controls only with respect to the processing of Customer Personal Data. The Agreement controls in all other respects, including fees, limitations of liability, indemnities, dispute resolution, venue, and remedies.

21. Contact

Legal notices and privacy-related requests may be sent to Revscale Technologies, Inc., 200 E Las Olas Blvd Suite 1400, Fort Lauderdale, FL 33301, or legal@getrevscale.com.

Schedule 1: Processing Details