Data Processing Agreement (DPA)

1. Background

This Data Processing Agreement ("DPA") governs the processing of Personal Data provided by Revy-o to the Professional in connection with Facilitation Services. The term "Prospective Customers" includes individuals who may become customers of the Professional.

Both parties acknowledge they are independent Data Controllers in processing Personal Data under this Agreement.

2. Use of Personal Data

The Professional, as a Data Controller, determines how Personal Data of Prospective Customers is used. However, the Professional must comply with the terms of this DPA and all applicable Data Protection Laws.

Personal Data obtained through Facilitation Services should only be used for the specified Purpose. If any other use is intended, the Professional must obtain any necessary consent and assume the associated risks.

3. Professional's Obligations

• Comply with applicable Data Protection Laws and maintain privacy protection standards.
• Provide clear information to Prospective Customers regarding Personal Data processing.
• Ensure Personal Data is used in compliance with Revy-o's obligations under Data Protection Laws.
• Prevent unauthorized use of Personal Data.
• Retain Personal Data only as long as necessary, unless legally required otherwise.
• Implement security measures as detailed in Appendix 1.
• Notify Revy-o of any Security Breach within 48 hours and assist in mitigation efforts.
• Inform Revy-o if unable to meet Data Protection obligations.
• Indemnify Revy-o for any losses from non-compliance with the DPA.

4. International Transfers of Data

Personal Data from the EEA, UK, or Switzerland can only be transferred outside these regions if adequate protection for Data Subjects' rights is ensured. Where this isn't available, Standard Contractual Clauses (SCCs) will apply.

5. Data Subject Rights

The Professional must notify Revy-o of any Data Subject requests related to their rights under Data Protection Laws, such as access, rectification, or erasure, and assist Revy-o in responding to these requests.

6. Audits and Inspections

Revy-o can conduct audits or inspections to ensure compliance with the DPA, with the Professional providing access to relevant records.

7. Sub-processors

The Professional must get Revy-o's consent before engaging sub-processors and ensure they comply with DPA obligations. The Professional remains liable for their actions.

8. Termination and Data Handling

Upon termination, the Professional must return or securely delete Personal Data unless legally required to retain it, and confirm this to Revy-o in writing.

9. Liability

Each party's liability is limited as per this DPA, except where not legally possible. The Professional indemnifies Revy-o for breaches.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales, with disputes subject to their courts' exclusive jurisdiction.

11. Definitions

Definitions include Data Controller, Data Processor, Data Protection Laws, Data Subject, Personal Data, Purpose, and Security Breach.

12. Legal Effect

This DPA is legally binding upon incorporation into an executed Agreement. Electronic signatures hold the same legal status as handwritten ones.

Appendix 1 - Technical and Organisational Measures

• Encryption of Personal Data in transit and at rest.
• Access controls for authorized personnel only.
• Regular security audits and penetration testing.
• Incident response plans and breach notification protocols.
• Secure disposal of Personal Data when no longer needed.

Appendix 2 - Standard Contractual Clauses

The SCCs apply to any international transfer of Personal Data, with relevant modules and options outlined in this Appendix.