Data Processing Agreement

Last updated: January 15, 2025

1. Introduction

This Data Processing Agreement (DPA) forms part of our Terms of Service and outlines how VelvetReply processes personal data on behalf of our customers in compliance with applicable data protection laws.

1.1 Purpose

This DPA ensures compliance with:

General Data Protection Regulation (GDPR)

California Consumer Privacy Act (CCPA)

Other applicable data protection laws

Industry best practices and standards

1.2 Scope

This DPA applies to all personal data processing activities carried out by VelvetReply in connection with our AI-powered review management services.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

2.1 Key Terms

"Data Controller" means our customer who determines the purposes and means of processing personal data

"Data Processor" means VelvetReply, who processes personal data on behalf of the Data Controller

"Personal Data" means any information relating to an identified or identifiable natural person

"Processing" means any operation performed on personal data

2.2 Legal Framework

"GDPR" means Regulation (EU) 2016/679

"CCPA" means California Consumer Privacy Act of 2018

"Data Subject" means the individual to whom personal data relates

3. Processing Activities

We process personal data to provide our AI-powered review management services, including review monitoring, response generation, and analytics.

3.1 Service-Related Processing

Review Management: Processing customer reviews and business information

AI Training: Using data to train and improve our AI models

Response Generation: Creating automated review responses

Analytics: Providing insights and reporting on review performance

3.2 Technical Processing

Authentication: User account management and security

Infrastructure: Hosting and technical support services

Monitoring: Service performance and security monitoring

Backup: Data backup and disaster recovery

4. Data Types

We may process the following categories of personal data as necessary to provide our services:

4.1 Customer Data

Business contact information (name, email, company)

Account credentials and authentication data

Service usage patterns and preferences

Payment and billing information

4.2 Review Data

Customer review content and ratings

Business response content

Review metadata (timestamps, platforms, etc.)

Interaction history and engagement data

4.3 Technical Data

IP addresses and device information

Browser and application logs

Performance metrics and error logs

Security event data

5. Security Measures

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, or destruction.

5.1 Technical Safeguards

Encryption: End-to-end encryption for data in transit and at rest

Access Control: Multi-factor authentication and role-based access

Network Security: Firewalls, intrusion detection, and DDoS protection

Data Backup: Regular encrypted backups with geographic redundancy

5.2 Organizational Measures

Employee Training: Regular security awareness training

Access Management: Strict access controls and monitoring

Incident Response: Comprehensive incident response procedures

Vendor Management: Security assessments of third-party providers

5.3 Compliance Certifications

SOC 2 Type II certification

ISO 27001 information security management

GDPR compliance verification

Regular third-party security audits

6. Data Retention

We retain personal data only for as long as necessary to provide our services or as required by applicable law.

6.1 Retention Periods

Active Accounts: Data retained while account is active

Inactive Accounts: Data deleted after 12 months of inactivity

Legal Requirements: Extended retention where required by law

Backup Data: Encrypted backups retained for disaster recovery

6.2 Deletion Procedures

Immediate Deletion: Upon account termination request

Secure Erasure: Use of industry-standard deletion methods

Verification: Confirmation of data deletion completion

Audit Trail: Documentation of all deletion activities

7. Subprocessors

We may use subprocessors to provide our services. All subprocessors are bound by data protection obligations no less protective than those in this DPA.

7.1 Subprocessor Categories

Cloud Infrastructure: Hosting and computing services

AI Services: Language model and machine learning providers

Analytics: Performance monitoring and analytics tools

Support Services: Customer support and communication tools

7.2 Subprocessor Requirements

Data Protection Agreements: Binding contractual obligations

Security Standards: Minimum security requirements

Geographic Restrictions: Data processing location controls

Audit Rights: Right to audit subprocessor compliance

7.3 Current Subprocessors

A current list of our subprocessors is available at `/legal/subprocessors` and is updated regularly.

8. Data Subject Rights

We assist our customers in fulfilling data subject requests, including access, rectification, erasure, and data portability.

8.1 Rights Support

Access Requests: Providing data copies in structured format

Rectification: Correcting inaccurate or incomplete data

Erasure: Deleting data upon valid request

Portability: Exporting data in machine-readable format

8.2 Response Timeline

Standard Requests: Responded to within 30 days

Complex Requests: Extended timeline with justification

Fee Waiver: No fees for standard requests

Appeal Process: Right to appeal adverse decisions

9. Breach Notification

In the event of a data breach, we will notify affected customers within 72 hours of becoming aware of the breach.

9.1 Notification Requirements

Timeline: Within 72 hours of breach discovery

Content: Detailed breach description and impact assessment

Recipients: All affected customers and relevant authorities

Updates: Ongoing communication as investigation progresses

9.2 Breach Response

Immediate Actions: Containment and mitigation measures

Investigation: Comprehensive breach investigation

Remediation: Implementation of corrective actions

Prevention: Measures to prevent future breaches

10. International Transfers

We may transfer personal data to countries outside the European Economic Area (EEA) when necessary to provide our services.

10.1 Transfer Mechanisms

Adequacy Decisions: Transfers to countries with adequate protection

Standard Contractual Clauses: EU-approved transfer mechanisms

Binding Corporate Rules: Intra-group transfer safeguards

Other Safeguards: Additional measures as required

10.2 Geographic Distribution

Primary Processing: European Union and United States

Backup Locations: Geographic redundancy for disaster recovery

Subprocessor Locations: As specified in our subprocessor list

Data Localization: Efforts to process data in customer's region

11. Compliance

We maintain compliance with applicable data protection laws, including GDPR, CCPA, and other relevant regulations.

11.1 Regulatory Compliance

GDPR: Full compliance with European data protection requirements

CCPA: Compliance with California privacy regulations

Industry Standards: Adherence to relevant industry frameworks

Regular Audits: Ongoing compliance monitoring and verification

11.2 Compliance Monitoring

Internal Reviews: Regular compliance assessments

External Audits: Third-party compliance verification

Policy Updates: Regular review and update of policies

Training: Ongoing staff compliance training

12. Contact

For questions about this DPA, contact our Data Protection Officer:

Data Protection Officer: dpo@velvetreply.com Legal Department: legal@velvetreply.com Postal Address: [Your Company Address] Phone: [Your Phone Number]

12.1 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately.

---

This Data Processing Agreement is effective as of January 15, 2025, and will remain in effect until terminated or superseded by a new agreement.