REVGENTIC LIMITED
Last updated: 28 April 2026
1.1 Revgentic Limited ("Revgentic", "we", "our" or "us") and the counterparty identified in the Customer Agreement ("Customer", "you" or "your") have entered into an agreement for the provision of certain services by Revgentic pursuant to either:
1.1.1 Revgentic's Platform Terms and Conditions available at https://revgentic.com/legal (the "Terms"); or
1.1.2 where the parties have entered into a negotiated version of the Terms, a master subscription agreement, order form or other written agreement, those terms, (together, the "Customer Agreement").
1.2 This Data Processing Agreement, including its Schedules and any annexes (the "DPA"), forms part of the Customer Agreement and applies where, in connection with the provision of the Services under the Customer Agreement, Revgentic Processes Personal Data on behalf of the Customer.
1.3 The parties enter this DPA to set out the terms on which Revgentic will Process Personal Data on behalf of the Customer and to ensure that appropriate safeguards are in place in respect of that Processing.
1.4 This DPA is effective from the date on which the Customer Agreement comes into effect, or such other date as the parties may expressly agree in writing, and supersedes any previous terms between the parties relating to its subject matter.
1.5 Capitalised terms used in this DPA and not otherwise defined in it shall have the meanings given to them in the Customer Agreement.
Agreed terms:
2.1 The following definitions apply in this DPA:
2.2 The terms "data subject", "Processing" and "supervisory authority" / "data protection authority" (or the equivalent) shall have the meanings ascribed to them in the Data Protection Laws.
3.1 In the event of any inconsistency between the provisions of this DPA and the Customer Agreement, this DPA shall take precedence to the extent of that inconsistency. If any provision of this DPA is inconsistent with the SCCs, the SCCs shall prevail to the extent of that inconsistency, unless expressly stated otherwise in writing where permitted.
3.2 This DPA shall apply only to the extent that Revgentic Processes Customer Personal Data on behalf of the Customer.
3.3 The parties acknowledge that, for the purposes of the Data Protection Laws, the Customer is the Controller and Revgentic is the Processor, or where applicable, the Customer is a Processor and Revgentic is a sub-Processor.
3.4 The Customer instructs Revgentic to Process Customer Personal Data as reasonably necessary to provide the Services under the Customer Agreement and as otherwise set out in Schedule 1 to this DPA.
3.5 Each party shall comply with its respective obligations under the Data Protection Laws.
3.6 The Customer shall ensure that it has provided all notices and obtained all consents, permissions and other lawful bases required for:
3.6.1 the lawful transfer of Customer Personal Data to Revgentic; and
3.6.2 the lawful Processing of Customer Personal Data by Revgentic for the purposes of providing the Services.
4.1 Revgentic shall, in relation to any Customer Personal Data Processed in connection with the performance of the Services:
4.1.1 only Process Customer Personal Data on the Customer's documented instructions, including in respect of transfers of Customer Personal Data outside the United Kingdom, the EEA or any other relevant jurisdiction, unless Processing is required by applicable law;
4.1.2 take commercially reasonable steps to ensure the reliability of its employees, personnel and contractors who have access to Customer Personal Data, and ensure that all such persons are subject to appropriate contractual or statutory duties of confidentiality;
4.1.3 Security. Taking into account the nature, scope, context and purposes of the Processing, the risks to the rights and freedoms of natural persons, the state of the art and the costs of implementation, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Such measures shall include, without limitation, the security measures set out in Schedule 2. Revgentic may update or amend those measures from time to time in line with technical developments and good industry practice, provided that such updates and amendments do not materially degrade the overall security of the Services;
4.1.4 taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects under Data Protection Laws, at the Customer's written request and to the extent legally permitted;
4.1.5 Data Subject rights. Assist the Customer in responding to Data Subject Requests under Data Protection Laws. If Revgentic receives a Data Subject Request relating to Customer Personal Data, Revgentic shall forward that request to the Customer without undue delay. The Customer authorises Revgentic to respond to the requesting Data Subject solely to confirm that the request has been passed to the Customer;
4.1.6 Data deletion and return. At the Customer's written request, and subject to any inherent technical limitations and any retention required by applicable law, delete or return Customer Personal Data on termination or expiry of the Customer Agreement;
4.1.7 No sale of data. Where applicable under the CCPA or other equivalent US privacy laws, not retain, use or disclose Customer Personal Data outside the direct business relationship with the Customer or for any purpose other than the purposes permitted under the Customer Agreement, this DPA and applicable law;
4.1.8 Breach notification. Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. To the extent the relevant information is available, that notification shall include:
4.1.8.1 the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
4.1.8.2 the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
4.1.8.3 the likely consequences of the Personal Data Breach; and
4.1.8.4 the measures taken or proposed to be taken by Revgentic to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.1.9 Where, and insofar as, it is not possible to provide all such information at the same time, the information may be provided in phases without undue delay. The Customer agrees that an unsuccessful security incident will not be subject to this clause. For these purposes, an unsuccessful security incident means one that results in no unauthorised destruction, loss, alteration, disclosure of, or access to, Customer Personal Data or Customer Data;
4.1.10 Audits. Make available to the Customer information reasonably necessary to demonstrate Revgentic's compliance with this DPA, including to allow for and contribute to reasonable audits, at the Customer's sole cost, conducted by the Customer or an auditor designated by the Customer, provided that such audits may only be carried out:
4.1.10.1 not more than once in any 12-month period;
4.1.10.2 on at least 30 days' written notice;
4.1.10.3 during normal business hours; and
4.1.10.4 in a manner that causes minimal disruption to Revgentic's business operations.
4.1.11 The Customer may contact amir@revgentic.com to request a remote audit of procedures relevant to the protection of Personal Data.
4.2 Sub-processors. Customer hereby grants a general written authorisation to Revgentic to appoint sub-processors to support the performance of the Service. At Commencement Date of the Customer Agreement, Revgentic uses the sub-processors listed in here: https://security.revgentic.com/ and shall notify Customer of any changes concerning the addition or replacement of sub-processors by updating its maintained sub-Processors at least 30 days prior to the date on which those sub-processors commence processing of Customer Personal Data. If Customer objects to any new or replacement sub-processor on reasonable grounds related to data protection, it shall notify Revgentic of such objections in writing within 10 Business Days of the notification and the Parties will seek to resolve the matter in good faith. If Revgentic is reasonably able to provide the affected Services to the Customer in accordance with the Customer Agreement without using the sub-processor and decides in its discretion to do so, the Customer will have no further rights under this clause 4.2 in respect of the proposed use of the sub-processor. If Revgentic, in its discretion, requires use of the sub-processor and is unable to satisfy Customer's objection regarding the proposed use of the new or replacement sub-processor, then Customer may terminate the Customer Agreement effective upon the date Revgentic begins use of such new or replacement sub-Processor solely with respect to those Services that will use the proposed new sub-processor for the processing of Personal Data. If Customer does not provide a timely objection to any new or replacement sub-processor in accordance with this clause 4.2, Customer will be deemed to have consented to the sub-processor and waived its right to object. With respect to each sub-Processor, Revgentic shall ensure that the arrangement between Revgentic and sub-Processor, is governed by a contract including terms which meet the requirements of the Data Protection Law and offer at least the same level of protection for Customer Personal Data as those set out in this DPA ("Relevant Terms"). Revgentic shall procure the performance by such sub-Processor of the Relevant Terms and shall be liable to the Customer for any breach by such sub-processor of any of the Relevant Terms.
4.3 Government access requests. If Revgentic receives a legally binding request from a law enforcement agency or public authority to access Personal Data, Revgentic shall, unless legally prohibited from doing so:
4.3.1 promptly notify the Customer, including a summary of the request;
4.3.2 inform the requesting authority that Revgentic is a service provider and is not authorised to disclose the Personal Data without proper legal basis;
4.3.3 inform the requesting authority that requests for the Personal Data should be directed to the Customer; and
4.3.4 not provide access to the Personal Data unless required by law or authorised by the Customer in writing. To the extent Revgentic is legally prohibited from providing such notice, Revgentic shall use commercially reasonable efforts to obtain a waiver of that prohibition so that it may communicate as much information as possible to the Customer, as soon as possible.
4.4 Revgentic may challenge any such request where, after careful assessment, it concludes that there are reasonable grounds to consider the request unlawful, disproportionate or otherwise objectionable. Revgentic may pursue available appeal routes and may ask the Customer to cover reasonable external costs of doing so. Revgentic shall promptly notify the Customer if it becomes aware of any direct access by a public authority to Personal Data and shall provide such information as is available to it, to the extent permitted by law. For the avoidance of doubt, nothing in this DPA requires Revgentic to take any action or refrain from taking any action where doing so would expose Revgentic to civil or criminal penalty. Revgentic shall not disclose Personal Data in a disproportionate or indiscriminate manner beyond what is legally required. Revgentic shall ensure that any sub-Processors involved in the Processing of Personal Data are subject to equivalent commitments in relation to government access requests where required under the SCCs or otherwise under applicable Data Protection Laws.
5.1 In connection with the Services, the Parties acknowledge that Revgentic (and its sub-Processors) may process outside of Switzerland, the EEA and the United Kingdom, certain Personal Data protected by European Law for which Customer may be a Controller (or Processor on behalf of a third-party Controller, as the case may be).
5.2 Both Parties agree that where the transfer of Personal Data protected by European Law to Revgentic and/or its sub-Processors constitutes a Restricted Transfer, it shall be subject to the following safeguards:
5.2.1 EEA Transfers: in relation to Personal Data protected by the EU GDPR, the EU SCCs will apply completed as follows:
5.2.1.1 Module Two will apply where Customer is a Controller and Module Three will apply where Customer is a Processor;
5.2.1.2 in Clause 7, the optional docking clause will apply;
5.2.1.3 in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 4.2 of this DPA;
5.2.1.4 in Clause 11, the optional language will not apply;
5.2.1.5 in Clause 17, Option 2 will apply, and if the data exporter's Member State does not allow for third-party beneficiary rights, then the law of Ireland shall apply;
5.2.1.6 in Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing the Customer Agreement between the Parties or, if that jurisdiction is not an EU Member State, then the courts in Ireland shall be the designated forum. In any event, Clause 17 and 18 (b) shall be consistent in that the choice of forum and jurisdiction shall fall on the country of the governing law;
5.2.1.7 Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
5.2.1.8 Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA.
5.2.2 Swiss Transfers: in relation to Personal Data protected by the Swiss DPA, the EU SCCs, completed as set out above in clause 5.2.1 of this DPA, shall apply to transfers of such Personal Data, except that:
5.2.2.1 the supervisory authority in respect of Personal Data shall be the Swiss Federal Data Protection and Information Commissioner;
5.2.2.2 references to "Member State(s)" in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and
5.2.2.3 references to the "General Data Protection Regulation", "Regulation 2016/679" or "GDPR" in the EU SCCs shall be understood to be references to the Swiss DPA.
5.2.3 UK Transfers: in relation to Personal Data that is protected by the UK GDPR, the EU SCCs, completed as set out above in clause 5.2.1 of this DPA, shall apply to transfers of such Personal Data, except that:
5.2.3.1 the EU SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between the transferring Customer (or the relevant member of the Customer Group) and Revgentic;
5.2.3.2 any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
5.2.3.3 for the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this DPA; and
5.2.3.4 Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
5.2.4 The following terms shall apply to the EU SCCs (including as they may be amended under clauses 5.2.1 and 5.2.3 above):
5.2.4.1 Customer may exercise its right of audit under the EU SCCs as set out in, and subject to the requirements of, clause 4.1.10 of this DPA; and
5.2.4.2 Revgentic may appoint sub-Processors as set out in, and subject to the requirements of, clause 4 of this DPA, and Customer may exercise its right to object to sub-Processors under the EU SCCs in the manner set out in clause 4.2 of this DPA.
5.2.5 Should any provision of this DPA contradict, directly or indirectly, the EU SCCs (and the UK Addendum, as appropriate), the latter shall prevail.
5.3 In the event Customer seeks to conduct any assessment of the adequacy of the EU SCCs for transfers to any particular countries or regions, Revgentic shall, to the extent it is able, provide reasonable assistance to Customer for the purpose of any such assessment, provided that Customer covers all costs incurred by Revgentic in doing so.
5.4 Should Revgentic at any time adopt an alternative data export mechanism (including under the EU-U.S. Data Privacy Framework ("DPF"), the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF when in force, or under any new version of or successor adopted pursuant to applicable European Law) for the transfer of Personal Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws and extends to the territories to which Personal Data is transferred), and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect to such Alternative Transfer Mechanism.
Each party's liability under this DPA shall be subject to, and limited in accordance with, the limitations of liability set out in the Customer Agreement.
This DPA shall automatically terminate on the termination or expiry of the Customer Agreement, save to the extent any provisions of this DPA are intended to survive such termination or expiry.
If any provision of this DPA is held to be invalid, illegal or unenforceable, the remainder of this DPA shall remain valid and in full force and effect. Any invalid, illegal or unenforceable provision shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable while preserving the parties' original intention as far as possible. If such modification is not possible, the relevant provision shall be deemed deleted, but only to the minimum extent necessary.
The notice provisions set out in the Customer Agreement shall apply to any notice given under this DPA.
A person who is not a party to this DPA shall have no right to enforce any term of this DPA, except to the extent provided under the SCCs or the UK Addendum, where applicable.
This DPA shall be governed by and construed in accordance with the laws governing the Customer Agreement, save where the SCCs or the UK Addendum require otherwise.
This Schedule 1 forms part of the DPA and describes the Processing that Revgentic will perform on behalf of Customer.
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
The Personal Data Processed by Revgentic is determined and controlled by the Customer in its sole discretion. Anticipated categories include:
Revgentic does not intentionally solicit or require the Customer to submit special category data or criminal offence data through the Services. However, because call content and free-text inputs may contain free-form human conversation or notes, special category data may be incidentally disclosed or captured at the Customer's sole discretion and responsibility. Where such data is Processed, the following safeguards apply:
The Processing undertaken by Revgentic will involve any Processing necessary to provide the Services and fulfil its obligations under the Customer Agreement, including:
Personal Data will be retained for the term of the Customer Agreement and thereafter in accordance with the retention and deletion periods set out in the Customer Agreement, the DPA, and the Customer's documented instructions.
At the date of this DPA, Revgentic's retention approach is still being reviewed and further refined. Until a final retention schedule is agreed and implemented, Customer Personal Data will be retained only for so long as reasonably necessary to provide the Services, comply with the Customer Agreement, meet legal obligations, resolve disputes, enforce contractual rights, and maintain backup and disaster recovery processes.
Specific retention periods for categories such as call transcripts, derived outputs, account data, support logs, security logs, billing data and any sub-processor-held recordings should be confirmed and reflected in the final agreed retention schedule.
Description of the technical and organisational measures implemented by the Processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Revgentic maintains the following appropriate technical and organisational measures to protect Personal Data, and will additionally meet, at a minimum, the level required by applicable law: