Data Processing Agreement

This Data Processing Agreement (the “DPA”) supplements the ReviewBox Terms of Service between AT Work Inc., trading as ReviewBox (the “Processor”) and the customer (the “Controller”).

It applies whenever the Processor processes personal data on behalf of the Controller in the EEA, UK, or Switzerland.

Categories of data subjects: end users of Controller's mobile applications (review authors). Categories of personal data: review content, author handles, device/locale metadata, ratings.

Controller determines the purposes and means of processing. Processor processes Customer Data only on documented instructions from Controller, except as required by law.

Processor shall promptly inform Controller if, in its opinion, an instruction infringes applicable data protection law.

Processor ensures persons authorised to process Customer Data are bound by confidentiality (employment contract, NDA) and are limited to those who need access to perform the services.

Controller grants general authorisation for the sub-processors listed at /sub-processors. Processor notifies Controller of any intended new sub-processor at least 14 days in advance; Controller may object on reasonable grounds.

Current authorised sub-processors: Supabase (database, EU region), Clerk (authentication), Stripe (billing), Groq (AI inference, no data retention), Google (AI inference), Resend (email), PostHog (analytics), Upstash (rate limiting).

AES-256 at rest. TLS 1.3 in transit. Workspace isolation enforced via row-level security in the database. Quarterly penetration tests. Key rotation every 90 days. SOC 2 Type II in progress.

Access to production systems is restricted to authorised personnel, requires MFA, and is logged. Processor conducts annual security training for all employees with access to Customer Data.

Processor provides Controller with current SOC 2 report on request, under NDA. Controller may conduct an audit no more than once per calendar year, with 30 days' notice, during business hours, and at Controller's expense.

Processor may satisfy audit requests by providing its most recent third-party audit report or security questionnaire responses where these reasonably address the Controller's concerns.

Where Processor transfers Customer Data outside the EEA/UK, the Standard Contractual Clauses (Decision 2021/914) apply, attached as Annex II.

For transfers to the United Kingdom, the International Data Transfer Agreement (IDTA) applies. Controller's execution of this DPA constitutes execution of the applicable transfer mechanism.

Processor notifies Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach, including the nature of the breach, affected data subjects, likely consequences, and mitigation steps.

Processor maintains a register of all personal data breaches, whether or not notification is required, and makes it available to Controller on request.

Upon termination of the agreement or Controller's written request, Processor will delete or return all Customer Data within 30 days, at Controller's choice, and provide written certification of deletion.

Processor may retain Customer Data where required by applicable law, for the minimum period required, and will inform Controller of any such retention.

Each party's liability under this DPA is subject to the limitations set out in the main Terms of Service, except to the extent that applicable law prohibits such limitations in the context of data protection obligations.

Questions about this DPA? legal@tryreviewbox.com