Data Processing Addendum
Effective: June 7, 2023
In this DPA, “Data Protection Legislation” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations (together referred to as the “CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”). EU Data Protection Law includes (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
In the course of providing the Application Services to Customer pursuant to the Agreement, RevenueCat may process Customer Personal Data. “Customer Personal Data” means any data which is defined as ‘personal data’ or ‘personal information’ under applicable Data Protection Legislation processed by RevenueCat pursuant to the Agreement. RevenueCat agrees to comply with the following provisions with respect to Customer Personal Data. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
By entering into this DPA, Customer instructs RevenueCat to Process Customer Personal Data: (a) to provide the Application Services in accordance with the features and functionality of the Application Services and related documentation; (b) to enable Customer’s authorized user-initiated actions on and through the Application Services; (c) as set forth in the Agreement and applicable order; and (d) as further documented by written instructions given by Customer. Notwithstanding the foregoing, RevenueCat will inform Customer promptly if it becomes aware that Customer’s instructions may violate applicable Data Protection Legislation.
Data Processing Terms
The parties agree that Customer is the data controller and that RevenueCat is its data processor in relation to Customer Personal Data. Customer shall comply at all times with Data Protection Legislation in respect of all Personal Data it provided to RevenueCat pursuant to the Agreement. The subject matter of the data processing covered by this DPA is the Application Services ordered by Customer either through RevenueCat’s website or through an order and provided by RevenueCat to Customer via www.revenuecat.com, or as additionally described in the Agreement or the DPA. The processing will be carried out for the term of the Agreement or until the term of Customer’s ordering of the Application Services ceases. Further details of the data processing are set out in Annexes 1A, 1B, 1C, 2, and 3 hereto.
In Paragraphs 1 through 11 below, (a) “data controller”, “data processor”, “Data Subject”, “Personal Data”, “processing”, “Supervisory Authority”, and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable EU Data Protection Law and (b) “Customer Personal Data” shall refer to Customer Personal Data comprising of personal data of data subjects located in the European Economic Area (“EEA).
In Paragraph 12 below, the terms “service provider“, “business“, “consumer”, “business purpose”, “sell” (and “selling”, “sale”, and “sold”), “subcontractor” and “service provider” have the meanings given to them in §1798.140 of the CCPA, as applicable.
In respect of Customer Personal Data, RevenueCat:
- shall process the Customer Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to RevenueCat from time to time). If RevenueCat is required to process the personal data for any other purpose provided by applicable law to which it is subject, RevenueCat will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest; and shall notify Customer without undue delay if, in RevenueCat’s opinion, an instruction for the processing of personal data given by Customer infringes applicable EU Data Protection Law.
- shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure (including those outlined in Annex 2 of this DPA, (“Security Measures”). These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of Customer Personal Data which is to be protected. RevenueCat may make such changes to the Security Measures as RevenueCat deems necessary or appropriate from time to time, including without limitation to comply with applicable law, provided no such changes will materially reduce the overall level of protection for Customer Personal Data.
- may hire other third party companies to process Customer Personal Data for the purposes of providing the Application Services (“Sub-Processors”), including those set forth in Annex 3, provided that RevenueCat complies with the provisions of this DPA. Any such Sub-Processors will be permitted to process Customer Personal Data only to deliver the Application Services RevenueCat has retained them to provide, and they shall be prohibited from using Customer Personal Data for any other purpose. RevenueCat remains responsible for its Sub-Processors’ compliance with the obligations of this DPA. Any Sub-Processors to whom RevenueCat transfers Customer Personal Data will have entered into written agreements with RevenueCat requiring that the Sub-Processor abide by terms no less protective than those in this DPA. If Customer requires prior notification of any updates of additional Sub-Processor to the list of Sub-Processors, Customer can request such notification in writing by emailing email@example.com. RevenueCat will update the Sub-Processor list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Legislation. If, in RevenueCat’s reasonable opinion, such objections are legitimate, and RevenueCat is unable to modify the Application Services to prevent disclosure of Customer Personal Data to the Sub-Processor, then Customer may, by providing written notice to RevenueCat, terminate the Agreement.
- at the Customer’s request and cost (and insofar as is possible), shall reasonably assist the Customer by implementing appropriate and reasonable technical and organizational measures to assist with the Customer’s obligation to respond to requests from Data Subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data), provided RevenueCat is legally permitted to do so and that the Data Subject request was made in accordance with relevant Data Protection Legislation, and provided that RevenueCat reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance. If RevenueCat receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, RevenueCat will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Application Services. Customer hereby agrees that RevenueCat may confirm to a Data Subject that his or her requests relates to Customer.
- take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of the General Data Protection Regulation taking into account the nature of the processing under this DPA, provided that RevenueCat reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
- at the end of the applicable term of the Application Services, upon Customer’s request, RevenueCat shall securely destroy or return to Customer any Customer Personal Data within RevenueCat’s possession or control, subject to RevenueCat’s standard data backup and archival practices. Such request must be made within thirty (30) days of termination. Thereafter RevenueCat may permanently delete the Customer Personal Data from its live systems.
- make available information to Customer at Customer’s request which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer on reasonable, legitimate grounds for suspecting a breach of this DPA. RevenueCat will provide for such audits by allowing Customer to review confidential summary reports (“Audit Report”) prepared by third-party security professionals at RevenueCat’s selection and expense. If Customer can demonstrate that it requires additional information, beyond the Audit Report, and where required by Data Protection Legislation, RevenueCat shall allow, no more than once every 12 months and at Customer’s expense, Customer and its respective auditors or authorized agents to conduct audits or inspections of RevenueCat’s procedures relevant to the protection of Customer Personal Data to verify RevenueCat’s compliance with its obligations under this DPA during the term of the Agreement, provided that Customer has given RevenueCat at least forty-five (45) days prior written notice and such audit or inspection is conducted during reasonable business hours with minimal disruption to RevenueCat. Such audit may be carried out by Customer or an inspection body mutually agreed upon by the parties and composed of independent members in possession of the required professional qualifications and bound by a duty of confidentiality. Such audit shall have a duration of no longer than 48 hours.
- Representatives of Customer performing an audit pursuant to Paragraph 7 above shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement, and shall abide by RevenueCat’s security policies while on RevenueCat’s premises. Upon completion of an audit, Customer agrees to promptly furnish to RevenueCat any written audit report or, if no written report is prepared, to promptly notify RevenueCat of any non-compliance discovered during the course of the audit. The results of any such audit shall be considered RevenueCat’s confidential information. For the avoidance of doubt no access to any part of RevenueCat’s IT system, data hosting sites or centers, or infrastructure will be permitted as part of an audit or inspection and the audit will not include access to any information that could compromise confidential information relating to other RevenueCat clients or suppliers, RevenueCat’s proprietary technology or any trade secrets.
- RevenueCat shall provide information reasonably requested by Customer to demonstrate compliance with the obligations set out in this DPA.
- Subject to the terms and conditions of the Agreement and EU Data Protection Law, RevenueCat currently makes available the Standard Contractual Clauses (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en) as a transfer mechanism (“EU SCCs”). The Standard Contractual Clauses apply to any transfer of Customer Personal Data under this DPA from the European Economic Area (EEA) to a country which is not deemed to have Adequacy as defined in EU Data Protection Law (to the extent such transfers are subject to EU Data Protection Law) (“Restricted Transfer”). The Standard Contractual Clauses and the terms of this Paragraph apply to the legal entity that executed the Standard Contractual Clauses as “data exporter” and its participating affiliates, all of which shall be deemed “data exporters.” Where a Restricted Transfer is made from the EEA, the EU SCCs are incorporated into this DPA and apply to the transfer as follows: (i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Customer Personal Data; (ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and RevenueCat may engage Sub-Processors as described in Paragraph 3 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Paragraph 8 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Customer Personal Data will be returned and/or destroyed in accordance with Paragraph 7 of this DPA; (vi) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum. Where a Restricted Transfer is made from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner’s Office on March 21, 2022 (“UK Transfer Addendum) and the EU SCCs as amended and modified by the UK Transfer Addendum (collectively referred to as the “UK IDTA SCCs”) is incorporated into this DPA and applies to the transfer. For the purposes of the UK IDTA SCCs: (ix) the Tables of the UK IDTA SCCs shall be populated with the relevant information set out in the Annexes to this Addendum; (x) the UK IDTA SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales; and (xi) both “Importer” and “Exporter” are selected in Table 4 of the UK Transfer Addendum. If and to the extent the Standard Contractual Clauses conflict with any provision of this Addendum regarding the transfer of Customer Personal Data from Customer to RevenueCat, the Standard Contractual Clauses shall prevail to the extent of such conflict.
- If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in this DPA, shall be deemed to include LGPD Covered Data.
- If RevenueCat is processing Customer Personal Data within the scope of the CCPA (“CCPA Personal Data”), the Parties agree as follows. CCPA Personal Data is disclosed by Customer only for limited and specified purposes of providing Services to Customer pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under CCPA and shall provide the same level of privacy protection to CCPA Personal Data as required by CCPA. Customer shall have the right to take reasonable and appropriate steps to help ensure that RevenueCat uses the CCPA Personal Data in a manner consistent with its obligations under CCPA. RevenueCat shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA. Upon such notice, RevenueCat may take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Personal Data. RevenueCat agrees not to retain, use or disclose CCPA Personal Data obtained in the course of providing services for any purpose other than for the Business Purposes set forth in the agreement, including retaining, using or disclosing CCPA Personal Data for a commercial purpose other than the Business Purpose set forth in the Agreement, or as otherwise permitted by CCPA. RevenueCat will not (a) sell (as defined in CCPA) or share (as defined in CCPA) any CCPA Personal Data, (b) retain, use or disclose CCPA Personal Data outside of the direct business relationship between RevenueCat and Customer, (c) combine CCPA Personal Data with personal data received by RevenueCat from or on behalf of another person or persons, or collects from its own interactions with the consumer, provided that RevenueCat may combine CCPA Personal Data to perform any Business Purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. Notwithstanding the foregoing, RevenueCat may (i) to process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA, (ii) to retain and employ another service provider (as defined in CCPA) as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and applicable regulations, (iii) for internal use by RevenueCat to build or improve the quality of its services it is providing to Customer, even if this Business Purpose is not specified in the Agreement, provided that RevenueCat does not use the CCPA Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (v) for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7). If RevenueCat receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, then RevenueCat shall either act on behalf of Customer in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider. To the extent of any conflict, this Paragraph 13 will supersede other terms in this DPA with respect to CCPA Personal Data.
Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Customer Data, subject to RevenueCat’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by Data Protection Legislation to, and receiving any required consents and authorizations required by Data Protection Legislation from, persons whose Personal Data may be included in Customer Data; and (c) ensuring no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Application Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Application Services or use (or permit others to use) the Application Services other than as described in the applicable Ordering Document, the Agreement and this DPA, or for any unlawful purpose.
Each Party’s (and each of its affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Data Protection Legislation.
Term and Termination
Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement.
LIST OF PARTIES
- Name: The Customer entity identified in the Agreement or on an applicable Ordering Document.
- Address: The Customer’s address specified on the Ordering Document.
- Contact person’s name, position and contact details: The Customer’s contact nominated for receiving notifications, as set forth above in the DPA.
- Activities relevant to the data transferred under the Standard Contractual Clauses: The data exporter is a customer of the data importer and utilizing the data importer’s services as described in more detail in the Agreement.
- Role (controller/processor): Controller and/or Processor.
- Name: RevenueCat, Inc.
- Address: 1032 E Brandon Blvd #3003 Brandon, FL 33511
- Contact person’s name, position and contact details: Miguel Carranza, Chief Technology Officer, firstname.lastname@example.org
- Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement.
- Role (controller/processor): Processor.
DESCRIPTION OF THE TRANSFER
Categories of data subjects:
Individuals about whom data is uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries, and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.
Categories of personal data:
The Personal Data transferred may include but is not limited to the following categories of data:
Any data uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
Frequency of the transfer:
At data exporter’s discretion in using the Application Services, during the term of the Agreement.
Nature of the processing:
Customer Personal Data transferred will be processed in accordance with the Agreement and any Ordering Document, and may be subject to the following basic processing activities:
Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Application Services – this operation relates to all aspects of Personal Data processed.
Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Application Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.
URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data.
Disclosures in accordance with the Agreement, as compelled by Data Protection Legislation.
Purpose(s) of the data transfer and further processing:
Personal Data is processed for the purposes of providing the Application Services in accordance with the Agreement and any applicable Ordering Document.
Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained until termination or expiry of the Agreement, in accordance with Paragraph 7 of this DPA.
COMPETENT SUPERVISORY AUTHORITY
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.
TECHNICAL AND ORGANIZATIONAL MEASURES
RevenueCat considers protection of Customer Data a top priority. As further described in this RevenueCat Information Security Policy, RevenueCat uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under RevenueCat’s control. RevenueCat maintains these security measures and is currently in the process of being audited for SOC2 – Type II.
- Customer Data and Management. RevenueCat limits its personnel’s access to Customer Data as follows:
- Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;
- Limits the Customer Data available to RevenueCat personnel on a “need to know” basis;
- Restricts access to RevenueCat’s production environment by RevenueCat personnel on the basis of business need;
- Encrypts user security credentials for production access; and
- Prohibits RevenueCat personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives and other similar devices.
- Data Encryption. RevenueCat will utilize standard production ciphers using 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 for authentication or equivalent.
- Network Security, Physical Security and Environmental Controls
- RevenueCat uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Customer Data.
- RevenueCat maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.
- RevenueCat monitors privileged access to applications that process Customer Data, including cloud services.
- The Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
- The Services operate using Snowflake’s data warehouse and are protected by the security and environmental controls of Snowflake. Detailed information about Snowflake security is available at https://www.snowflake.com/wp-content/uploads/2019/12/Snowflake-Security-Overview-Q4-2019-2.pdf. For Snowflake’s ISO-27001 certificate, please see https://docs.snowflake.com/en/user-guide/cert-iso-27001.
- Independent Security Assessments. RevenueCat periodically assesses the security of its systems and the Services as follows:
- Private and public security bug bounty programs.
- RevenueCat hires accredited third parties to perform audits and to attest SOC2 – Type 2 compliance and certifications annually .
- Incident Response. If RevenueCat becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), RevenueCat will:
- Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
- Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, RevenueCat is not required to make such notice to the extent prohibited by Laws, and RevenueCat may delay such notice as requested by law enforcement and/or in light of RevenueCat’s legitimate needs to investigate or remediate the matter before providing notice.
- Each notice of a Breach will include:
- The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach;
- A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
- The scope of the Breach, to the extent known; and
- A description of RevenueCat’s response to the Breach, including steps RevenueCat has taken to mitigate the harm caused by the Breach.
- Business Continuity Management
- RevenueCat maintains an appropriate business continuity and disaster recovery plan.
- RevenueCat maintains processes to ensure failover redundancy with its systems, networks and data storage.
- Personnel Management
- RevenueCat performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law.
- Upon employee termination, whether voluntary or involuntary, RevenueCat immediately disables all access to RevenueCat systems, including RevenueCat’s physical facilities.
|A cloud service that stores our server logs and provides searching capabilities
|Amazon Web Services, Inc
|Our servers and production infrastructure. These include (but not limited to) ECS, RDS, Redshift, Elasticsearch, and Elasticache.
|Error monitoring tool
|Observability tool for our production infrastructure
|Cloud based data warehouse
|Serving user requests, caching, protecting against DOS attacks