Data Processing Agreement

Data Processing Agreement (DPA) for Reviewhelden

Last updated: November 3, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between [Customer Name] (“Customer,” “you,” “your”) and Reviewhelden (“the Software,” “Processor,” “we,” “our,” “us”). This DPA governs the processing of personal data that we perform on behalf of the Customer in connection with the provision of the Software, in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Definitions

  • Data Controller: The entity determining the purposes and means of processing personal data.
  • Data Processor: The entity processing personal data on behalf of the Controller.
  • Data Subject: Any identified or identifiable natural person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (e.g., collection, storage, use, disclosure, erasure).
  • Sub-Processor: Any third party appointed by the Processor to process personal data on behalf of the Customer.

2. Roles and Responsibilities

Customer as Data Controller: The Customer is the Data Controller for personal data processed through the Software and is responsible for the legal basis and overall compliance.

Reviewhelden as Data Processor: Reviewhelden is the Data Processor and processes personal data solely in accordance with this DPA and the Customer’s documented instructions.

3. Types of Personal Data Processed

  • End-user data: Names, email addresses, reviews, feedback, video testimonials, and information submitted via review requests or landing pages.
  • Customer data: Names, email addresses, contact details, login credentials, and business-related information.
  • Usage data: IP addresses, device information, and Software usage metrics.

The scope may change based on services provided; the Customer will be informed accordingly.

4. Purpose of Processing

  • Aggregating reviews from third-party platforms (e.g., Google, Facebook, Booking, TripAdvisor, Yelp, Trustpilot).
  • Responding to reviews (including AI-assisted replies) on behalf of the Customer.
  • Sending review request campaigns and processing feedback (including private feedback and video testimonials).
  • Sharing reviews via website widgets and social media assets.
  • Providing analytics to track and enhance reputation management.
  • Automating workflows related to review collection and follow-ups.

5. Duration of Processing

Processing continues for the duration of the Agreement unless otherwise required by law or until the Customer requests deletion.

6. Processor Obligations

  • Process under instructions: We process personal data only as necessary to provide the Software and per the Customer’s documented instructions.
  • Confidentiality: Personnel with access to personal data are bound by confidentiality obligations.
  • Security measures: We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure.
  • Assistance: We assist the Customer in responding to Data Subject requests and with data protection impact assessments as required.
  • Breach notification: We will notify the Customer without undue delay upon becoming aware of a personal data breach, providing relevant information and assistance.

7. Customer Obligations

  • Provide lawful, documented instructions and ensure compliance with applicable data protection laws.
  • Inform Data Subjects and obtain required consents where applicable.
  • Ensure a valid legal basis for processing personal data.
  • Handle Data Subject requests; Reviewhelden will assist upon request.

8. Sub-Processors

Reviewhelden may engage Sub-Processors to deliver the services. We will:

  • Ensure Sub-Processors provide a level of protection no less protective than this DPA.
  • Inform the Customer of intended changes to Sub-Processors, allowing the Customer to object on reasonable grounds.
  • Remain fully liable for Sub-Processors’ performance.

A current list of Sub-Processors is available upon request.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or other jurisdictions, Reviewhelden will implement appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions, or other lawful mechanisms).

10. Security Measures

Reviewhelden maintains security appropriate to the risk, including (as applicable): encryption in transit, access controls, regular security assessments, and incident response procedures.

11. Data Subject Rights

We will assist the Customer in facilitating Data Subject rights under applicable laws, including rights to access, rectification, erasure, restriction/objection, and portability (where applicable). Requests received directly by Reviewhelden will be forwarded to the Customer without undue delay.

12. Data Retention and Deletion

Upon termination or expiration of the Agreement, and at the Customer’s choice, Reviewhelden will return or delete personal data processed on behalf of the Customer, unless retention is required by law.

13. Audit Rights

The Customer may request audits or inspections of Reviewhelden’s processing activities to verify compliance with this DPA. Audits shall occur with reasonable advance notice, at the Customer’s expense, and in a manner that minimizes disruption.

14. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except where prohibited by applicable data protection laws.

15. Governing Law

This DPA is governed by the laws of Germany, without regard to conflict-of-law principles.

16. Termination

This DPA remains in effect as long as Reviewhelden processes personal data on behalf of the Customer. Provisions that, by their nature, should survive termination shall so survive.

17. Contact Information

Questions about this DPA or data protection at Reviewhelden? Contact us at: info@reviewhelden.com

Note for EU/EEA/UK Customers: Where required, international transfers will rely on the EU Standard Contractual Clauses (and the UK Addendum, if applicable). For California consumers, references to “sale” or “sharing” align with CCPA/CPRA definitions.

Scroll to Top