Back to home

Data Processing Addendum

Effective Date: March 21, 2026

Preamble

This Data Processing Addendum ("DPA") forms part of the Riovis Platform Terms of Service (the "Agreement") between TopHare Software Studio LLC (the "Company" or "Processor") and the subscribing entity (the "Subscriber" or "Controller"). This DPA sets out the terms under which the Company processes Personal Data on behalf of the Subscriber in connection with the Riovis Platform (the "Platform").

In the event of any conflict or inconsistency between the terms of this DPA and the Agreement, this DPA shall control with respect to the Processing of Personal Data.

1. Definitions

1.1 "Applicable Privacy Law"

Means any law, regulation, or binding guidance relating to the Processing of Personal Data applicable to the parties, including but not limited to: the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the United Kingdom General Data Protection Regulation ("UK GDPR") and the UK Data Protection Act 2018; the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); the Personal Information Protection and Electronic Documents Act ("PIPEDA"); the Texas Data Privacy and Security Act ("Texas TDPSA"); and any other data protection or privacy law applicable to the Processing of Personal Data under this DPA.

1.2 "Controller"

Means the Subscriber, as the entity that determines the purposes and means of the Processing of Personal Data.

1.3 "Data Subject"

Means an identified or identifiable natural person to whom Personal Data relates. Data Subjects may include, without limitation, the Subscriber's customers, email recipients, marketing audiences, employees, and other individuals whose data is processed through the Platform.

1.4 "Personal Data"

Means any information relating to an identified or identifiable natural person. This definition encompasses "Personal Information" as defined under the CCPA/CPRA and "Personal Information" as defined under PIPEDA. Personal Data includes, without limitation: names, email addresses, physical addresses, device identifiers, IP addresses, cookies and similar tracking technologies, purchase history, and behavioral data.

1.5 "Processing"

Means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.

1.6 "Processor"

Means the Company, which processes Personal Data on behalf of the Controller in connection with the provision of the Platform.

1.7 "Restricted Transfer"

Means a transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the applicable regulatory authority, including transfers to the United States where no lawful transfer mechanism is in place.

1.8 "Security Incident"

Means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by the Company or its Sub-Processors.

1.9 "Sensitive Personal Data"

Means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, data concerning a person's sex life or sexual orientation, Social Security numbers, precise geolocation data, and financial account credentials. The Company does NOTintentionally collect Sensitive Personal Data. The Subscriber shall not upload Sensitive Personal Data to the Platform without the Company's prior written consent.

1.10 "Sub-Processor"

Means any third-party processor engaged by the Company to process Personal Data on behalf of the Subscriber. The current list of approved Sub-Processors is set forth in Section 7 and Exhibit B of this DPA.

1.11 "Standard Contractual Clauses"

Means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 ("EU SCCs"), and the International Data Transfer Addendum issued by the UK Information Commissioner's Office ("UK IDTA"), as applicable.

1.12 "Usage Data"

Means data that has been anonymized, aggregated, or de-identified such that it cannot reasonably be used to identify a natural person. Usage Data is NOT Personal Data and is not subject to this DPA.

2. Roles of the Parties and Scope of Processing

2.1 Party Roles

The Subscriber acts as the Controller and the Company acts as the Processorwith respect to the Processing of Personal Data under this DPA. The Company is an independent Controller for account registration data, billing data, and Usage Data. Stripe, Inc. acts as an independent controller and/or co-processor for payment data processed through the Platform's payment infrastructure.

2.2 Scope

The scope of Processing is limited to providing the Platform features described in this DPA and the Agreement. The details of Processing are set forth in Exhibit A.

2.3 No Sale of Personal Data

The Company does NOT sell Personal Data as defined under the CCPA/CPRA. The Company does not engage in cross-context behavioral advertising except where directed by the Subscriber (for example, when the Subscriber uses Platform features that interface with the Meta Ads API to deliver advertising campaigns).

2.4 CCPA/CPRA Service Provider Designation

For purposes of the CCPA/CPRA, the Company is a "Service Provider." The Company processes Personal Data only for the specific business purposes set forth in this DPA and the Agreement. The Company certifies that it understands and will comply with the restrictions applicable to Service Providers under the CCPA/CPRA, including the prohibition on selling or sharing Personal Data, retaining, using, or disclosing Personal Data outside of the direct business relationship, and combining Personal Data received from the Subscriber with Personal Data received from other sources.

2.5 Texas TDPSA Processor Designation

For purposes of the Texas TDPSA, the Company acts as a Processor. The Company shall adhere to the Subscriber's instructions with respect to the Processing of Personal Data and shall assist the Subscriber in meeting its obligations as a Controller under the Texas TDPSA, including obligations related to the security of Processing and notification of Security Incidents.

2.6 PIPEDA Compliance

Where PIPEDA applies, the Company processes Personal Data as an agent of the Subscriber and maintains a comparable level of protection for Personal Data as required by PIPEDA. The Subscriber is responsible for obtaining all necessary consents from Canadian Data Subjects in accordance with PIPEDA prior to providing Personal Data to the Platform.

3. Processing Instructions

3.1 Documented Instructions

The Company shall process Personal Data only on documented instructions from the Subscriber. Documented instructions include: the terms of this DPA, the Agreement, Platform configurations set by the Subscriber, instructions provided through the Platform's support channels, and any additional written instructions agreed upon by the parties.

3.2 Notification of Infringing Instructions

The Company shall promptly inform the Subscriber if, in the Company's opinion, an instruction from the Subscriber infringes Applicable Privacy Law. The Company may suspend the relevant Processing until the Subscriber provides clarification or a revised instruction.

3.3 Prohibition on Unauthorized Processing

The Company shall not retain, use, or disclose Personal Data outside of the direct business relationship between the Company and the Subscriber. The Company shall not combine Personal Data received from the Subscriber with Personal Data received from other sources. The Company shall not use Personal Data for AI model training without the Subscriber's separate explicit written consent.

3.4 AI Model Training - Explicit Prohibition

THE COMPANY WILL NOT USE SUBSCRIBER CONTENT, PERSONAL DATA, AI PROMPTS, OR AI-GENERATED OUTPUT TO TRAIN, FINE-TUNE, OR BENCHMARK ARTIFICIAL INTELLIGENCE OR MACHINE LEARNING MODELS WITHOUT A SEPARATE, EXPLICIT WRITTEN CONSENT FROM THE SUBSCRIBER.

The Company acknowledges that it utilizes third-party AI providers, including OpenAI, Anthropic, and Google (Veo/GCP), each of which maintains its own data processing policies. The Company uses API configurations and contractual commitments from these providers that prohibit the use of customer data for model training ("no-training configurations").

4. Company Obligations as Processor

4.1 Confidentiality

The Company shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory. Access to Personal Data shall be limited to personnel on a need-to-know basis.

4.2 Technical and Organizational Security Measures

The Company shall implement and maintain appropriate technical and organizational security measures as described in Exhibit C, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

4.3 Data Subject Rights Assistance

The Company shall assist the Subscriber in fulfilling its obligations to respond to Data Subject requests. The Company shall forward any Data Subject requests received directly to the Subscriber within five (5) business days. The Company shall not respond to Data Subject requests on behalf of the Subscriber without the Subscriber's prior authorization. The Company shall provide reasonable technical tools and capabilities to enable the Subscriber to fulfill Data Subject requests through the Platform.

4.4 Compliance Assistance

The Company shall provide reasonable assistance to the Subscriber with data protection impact assessments ("DPIAs"), prior consultations with supervisory authorities, and other Controller obligations under Applicable Privacy Law, to the extent that such assistance is required and relates to the Company's Processing of Personal Data.

4.5 Legal Process Notification

If the Company receives a subpoena, court order, or other legal process requiring the disclosure of the Subscriber's Personal Data, the Company shall: (a) promptly notify the Subscriber to the extent permitted by law; (b) cooperate with the Subscriber to seek a protective order or other appropriate remedy; and (c) disclose only the minimum amount of Personal Data required by the legal process.

4.6 Records of Processing Activities

The Company shall maintain records of Processing activities carried out on behalf of the Subscriber in accordance with Article 30(2) of the GDPR. Such records shall be made available to the Subscriber upon request.

5. Security Incident Notification and Response

5.1 Notification

The Company shall notify the Subscriber of any confirmed Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident. The notification shall include, to the extent available:

  • The nature of the Security Incident, including categories and approximate number of Data Subjects and records affected;
  • The name and contact details of the Company's Data Protection Officer or designated contact;
  • A description of the likely consequences of the Security Incident;
  • A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects.

The Company shall cooperate with the Subscriber and take reasonable steps to contain and remediate the Security Incident.

5.2 Incident Response Plan

The Company maintains an incident response plan that includes the following phases:

  1. Detection: Identification of potential Security Incidents through monitoring and alerting systems.
  2. Containment: Immediate measures to contain the Security Incident and prevent further unauthorized access or data loss.
  3. Forensics: Investigation and analysis to determine the scope, cause, and impact of the Security Incident.
  4. Remediation: Implementation of corrective measures to address vulnerabilities and prevent recurrence.
  5. Review: Post-incident review to evaluate the effectiveness of the response and update procedures as necessary.
  6. Regulatory notification: Coordination with the Subscriber regarding notification to supervisory authorities and affected Data Subjects as required by Applicable Privacy Law.

5.3 Subscriber Notification Responsibility

The Subscriber retains sole responsibility for determining whether a Security Incident triggers notification obligations under Applicable Privacy Law and for issuing any required notifications to supervisory authorities, Data Subjects, or other parties.

5.4 Exclusions

The following events do not constitute a Security Incident for purposes of this Section 5:

  • Failed login attempts, brute-force attacks, or other unsuccessful access attempts that do not result in unauthorized access;
  • Port scans, network probes, or other reconnaissance activities;
  • Incidents caused by the Subscriber's own actions, configurations, or negligence;
  • Incidents affecting third-party systems outside the Company's control.

6. Data Subject Rights and Requests

6.1 GDPR/UK GDPR Rights

The Company shall assist the Subscriber in responding to Data Subject requests exercising the following rights under the GDPR and UK GDPR:

  • Right of access (Article 15);
  • Right to rectification (Article 16);
  • Right to erasure ("right to be forgotten") (Article 17);
  • Right to restriction of processing (Article 18);
  • Right to data portability (Article 20);
  • Right to object (Article 21);
  • Rights related to automated individual decision-making, including profiling (Article 22).

Erasure requests shall be processed within thirty (30) days of receipt.

6.2 CCPA/CPRA Rights

The Company shall assist the Subscriber in responding to the following consumer rights under the CCPA/CPRA:

  • Right to know what Personal Information is collected, used, and disclosed;
  • Right to delete Personal Information;
  • Right to correct inaccurate Personal Information;
  • Right to opt-out of sale or sharing of Personal Information;
  • Right to limit the use and disclosure of Sensitive Personal Information;
  • Right to non-discrimination for exercising privacy rights.

The Company shall assist the Subscriber in responding to verified consumer requests in accordance with the CCPA/CPRA.

6.3 Texas TDPSA Rights

The Company shall assist the Subscriber in responding to the following consumer rights under the Texas TDPSA:

  • Right to confirm whether Personal Data is being processed;
  • Right to access Personal Data;
  • Right to correct inaccuracies in Personal Data;
  • Right to delete Personal Data;
  • Right to obtain a portable copy of Personal Data;
  • Right to opt-out of targeted advertising, sale of Personal Data, and profiling.

6.4 PIPEDA Rights

The Company shall assist the Subscriber in responding to Data Subject rights under PIPEDA, including the right to access Personal Information and the right to challenge the accuracy and completeness of Personal Information.

6.5 Response Timelines

The Company shall forward any Data Subject request received directly to the Subscriber within five (5) business days. Data Subject requests shall be fulfilled within thirty (30) days, or within a shorter timeframe if required by Applicable Privacy Law.

7. Sub-Processors

7.1 General Authorization

The Subscriber grants the Company a general written authorization to engage the Sub-Processors listed in Exhibit B for the Processing of Personal Data in connection with the Platform.

7.2 Sub-Processor Obligations

The Company shall enter into a written data processing agreement with each Sub-Processor that imposes data protection obligations substantially similar to those set forth in this DPA. The Company shall remain fully liable to the Subscriber for the acts and omissions of its Sub-Processors. Sub-Processor access to Personal Data shall be limited to what is strictly necessary for the performance of the delegated Processing activities.

7.3 Sub-Processor Changes

The Company shall provide the Subscriber with at least thirty (30) days' prior written notice before engaging a new Sub-Processor or replacing an existing Sub-Processor. The Subscriber shall have fourteen (14) days from receipt of notice to object to the proposed change on reasonable data protection grounds. In the event of an objection, the parties shall engage in good-faith negotiations to resolve the concern. If the parties are unable to reach a resolution, the Subscriber shall have the right to terminate the Agreement upon sixty (60) days' written notice.

7.4 AI Sub-Processors

The Company engages the following AI Sub-Processors: OpenAI, Anthropic, and Google (Veo/GCP). These providers process data through API configurations that prohibit the use of customer data for model training ("no-training configurations"). The Company shall notify the Subscriber of any material changes to the data processing policies of AI Sub-Processors. All AI Sub-Processors are based in the United States and are subject to Restricted Transfer provisions. Relevant privacy policy review links for each AI Sub-Processor are provided in Exhibit B.

7.5 Riovis Engine Crawl

The Platform's Riovis Engine feature crawls the Subscriber's publicly accessible website(s) to extract brand configuration data (colors, fonts, logos, tone of voice). This data is processed solely for the purpose of configuring the Subscriber's brand profile within the Platform. Crawled data is retained during the Subscription Term plus ninety (90) daysfollowing termination or expiration. Crawled data is not shared with third parties and is not used for AI model training. The Subscriber is responsible for any third-party data or content present on the Subscriber's website that may be captured during the crawl process.

7.6 Resend (Email Delivery)

Resend processes the following categories of Personal Data: email addresses, recipient names, email content, and email metadata (send times, open rates, click rates, bounce data). The Subscriber is the Controller with respect to email recipients and their Personal Data. Resend retains engagement data for up to twenty-four (24) monthsfrom the date of send. The Subscriber shall not use the Platform's email features to send unsolicited commercial communications (spam).

7.7 Meta Graph API

The Platform interfaces with the Meta Graph API to enable social media publishing and advertising features. Meta processes the following categories of data: page access tokens, ad creative content, and audience targeting parameters. Meta's own privacy policies and terms of service apply to data processed through Meta's platform. The Subscriber is responsible for compliance with Meta's Platform Terms, Advertising Policies, and all applicable Meta requirements.

7.8 Shopify

The Platform accesses Shopify data through the Shopify Partner API, including products, collections, orders, and storefront configuration data. The Company does not access or store customer personally identifiable information beyond what is strictly necessary for publishing and synchronization features. Processing of Shopify data is subject to the Shopify API Terms of Service and the Shopify Partner Program Agreement.

8. International Data Transfers

8.1 Transfer Mechanisms

The Company relies on the following mechanisms for Restricted Transfers of Personal Data:

  • EU Standard Contractual Clauses (Module 2 - Controller to Processor) for transfers from the EEA to the United States;
  • UK International Data Transfer Addendum (UK IDTA) for transfers from the United Kingdom;
  • Contractual protections consistent with PIPEDA requirements for transfers of Canadian Personal Information;
  • SCCs and/or UK IDTA for transfers of Personal Data to AI Sub-Processors based in the United States.

8.2 Transfer Impact Assessment

The Company shall provide reasonable assistance to the Subscriber in conducting a Transfer Impact Assessment upon written request.

8.3 Mechanism Invalidation

If any transfer mechanism relied upon under this Section 8 is invalidated by a court of competent jurisdiction or supervisory authority, the parties shall cooperate in good faith to implement an alternative lawful transfer mechanism. The Company may suspend the affected Restricted Transfer if no lawful mechanism is available and such suspension is required by Applicable Privacy Law.

9. Audit and Inspection Rights

9.1 Audit Rights

The Subscriber may exercise its audit rights through the following mechanisms:

  • Annual audit (remote):The Subscriber may submit written questionnaires, request copies of relevant audit reports (such as SOC 2 Type II reports), certifications (such as ISO 27001), and other compliance documentation. The Subscriber may request access to relevant personnel to discuss the Company's data protection practices.
  • On-site audit:Subject to a written audit agreement, the Subscriber may conduct an on-site audit of the Company's facilities and systems. On-site audits require at least thirty (30) days'prior written notice, shall be conducted during normal business hours, and shall be at the Subscriber's sole cost and expense.

9.2 Confidentiality of Audit Results

All audit results, reports, and related information obtained during an audit shall be treated as the Company's Confidential Information and subject to the confidentiality provisions of the Agreement.

9.3 Supervisory Authority Cooperation

The Company shall cooperate with supervisory authorities with jurisdiction over the Processing activities, including EU Data Protection Authorities ("DPAs"), the UK Information Commissioner's Office ("ICO"), the California Privacy Protection Agency ("PPA"), and the Office of the Privacy Commissioner of Canada.

10. Data Minimization, Retention, and Deletion

10.1 Data Minimization

Personal Data processed under this DPA shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

10.2 Retention

Personal Data shall be retained in accordance with the retention schedule set forth in Exhibit A of this DPA.

10.3 Post-Termination Deletion

Following termination or expiration of the Agreement, and after the expiration of any applicable Export Window, the Company shall, at the Subscriber's election, either delete or return all Personal Data in a structured, commonly used, and machine-readable format. Personal Data stored in backup systems shall be deleted within twelve (12) months following termination or expiration.

10.4 Anonymized Data

Data that has been irreversibly anonymized such that it no longer constitutes Personal Data may be retained by the Company indefinitely. Anonymized data is not subject to this DPA.

11. Subscriber Obligations as Controller

11.1 Lawfulness

The Subscriber represents and warrants that it has complied with all applicable laws with respect to its collection and provision of Personal Data to the Platform, that it has a valid lawful basis for all Processing instructed under this DPA, that it has provided all required notices and obtained all required consents from Data Subjects, and that it will not instruct the Company to process Personal Data in a manner that would violate Applicable Privacy Law.

11.2 Accuracy

The Subscriber is responsible for the accuracy of Personal Data provided to the Platform. The Company is not obligated to independently verify the accuracy of Personal Data received from the Subscriber.

11.3 Sensitive Personal Data

The Subscriber shall not upload or otherwise provide Sensitive Personal Data to the Platform without the Company's prior written consent.

11.4 Email and Marketing Compliance

The Subscriber is solely responsible for compliance with all applicable email and marketing laws, including CAN-SPAM, CASL, and the GDPR. This includes maintaining lawful mailing lists, obtaining required consents, honoring opt-out and unsubscribe requests, and including required content in commercial messages.

11.5 Third-Party Platform Compliance

The Subscriber is responsible for compliance with the terms of service, advertising policies, and developer policies of third-party platforms accessed through the Platform, including Meta, Shopify, and Google.

12. Liability, Indemnification, and Relationship to Agreement

12.1 Incorporation into Agreement

This DPA is incorporated into and forms part of the Agreement. All limitations of liability set forth in the Agreement apply to this DPA. In the event of any conflict between this DPA and the Agreement with respect to data protection matters, this DPA shall prevail.

12.2 Company Liability

The Company shall be liable for the acts and omissions of its Sub-Processors to the same extent as if the Company had performed the Processing itself, subject to the liability limitations set forth in the Agreement.

12.3 Subscriber Indemnification

The Subscriber shall indemnify, defend, and hold harmless the Company from and against any claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

  • The Subscriber's failure to fulfill its obligations as Controller under Applicable Privacy Law;
  • Processing instructions issued by the Subscriber that violate Applicable Privacy Law;
  • The Subscriber's failure to obtain required consents from Data Subjects;
  • Any breach by the Subscriber of this DPA.

12.4 Regulatory Investigation Cooperation

The parties shall cooperate with each other in the event of a regulatory investigation or enforcement action related to the Processing of Personal Data under this DPA.

13. Term and Termination

This DPA shall become effective on the Effective Date and shall remain in effect for the duration of the Agreement. This DPA shall automatically terminate upon the termination or expiration of the Agreement. Notwithstanding termination, the provisions of this DPA relating to security, confidentiality, and deletion or return of Personal Data shall survive until all Personal Data has been deleted or returned in accordance with Section 10.

14. General Provisions

14.1 Amendments

The Company may update this DPA from time to time by providing the Subscriber with at least thirty (30) days' prior written notice. Continued use of the Platform after the effective date of any amendment shall constitute acceptance of the updated DPA.

14.2 Entire Agreement

This DPA, together with its Exhibits and the Agreement, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous agreements, representations, and understandings relating to the subject matter hereof.

14.3 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

14.4 Data Protection Contact

For questions, requests, or concerns regarding this DPA or the Company's data protection practices, please contact: privacy@riovis.com.

Exhibit A - Data Processing Details

A.1 Nature and Purpose of Processing

Personal Data is processed for the purpose of operating the Riovis Platform, including:

  • Operating the Marketing, Support, and Inventory modules of the Platform;
  • Riovis Engine crawl of Subscriber websites for brand configuration;
  • AI-powered content generation using OpenAI, Anthropic, and Google Veo/GCP;
  • Email campaign creation and delivery via Resend;
  • Social media publishing and advertising via Meta Graph API;
  • E-commerce product and storefront synchronization via Shopify Partner API;
  • Platform analytics and reporting;
  • In-app notifications and communications;
  • Payment processing and billing via Stripe;
  • Abuse detection and platform security.

A.2 Data Inventory

Processing ActivityCompany RoleCategories of Personal DataLawful Basis (GDPR)
Account registration and authenticationControllerName, email, password hash, organizationContract performance (Art. 6(1)(b))
Billing and payment processing (via Stripe)Controller / Co-Processor (Stripe)Billing name, email, payment card details, transaction recordsContract performance (Art. 6(1)(b))
Email campaign delivery (via Resend)ProcessorRecipient email addresses, names, email content, engagement metadataLegitimate interest / Consent (per Subscriber)
AI content generation (OpenAI, Anthropic, Google Veo)ProcessorPrompts, generated content, brand configuration dataContract performance (Art. 6(1)(b))
Riovis Engine website crawlProcessorPublicly accessible website content, brand assetsLegitimate interest (Art. 6(1)(f))
Social media publishing (Meta Graph API)ProcessorPage tokens, ad creative, audience targeting parametersConsent / Legitimate interest (per Subscriber)
E-commerce synchronization (Shopify)ProcessorProducts, collections, orders, storefront configurationContract performance (Art. 6(1)(b))
Support ticket managementProcessorCustomer names, emails, ticket content, attachmentsLegitimate interest (Art. 6(1)(f))
Platform analyticsController (Usage Data) / Processor (Personal Data)IP addresses, device identifiers, behavioral data, session dataLegitimate interest (Art. 6(1)(f))
Abuse detection and securityControllerIP addresses, access logs, authentication eventsLegitimate interest (Art. 6(1)(f))

A.3 Categories of Data Subjects

The following categories of Data Subjects may have their Personal Data processed through the Platform:

  • Authorized users: Individuals granted access to the Platform by the Subscriber (employees, contractors, agents);
  • Customers: The Subscriber's customers whose data is managed through the Platform;
  • Email recipients: Individuals who receive email communications sent via the Platform;
  • Website visitors: Individuals whose publicly accessible information is captured during Riovis Engine crawls of the Subscriber's website(s);
  • Social media audiences: Individuals targeted or reached through social media publishing and advertising features.

A.4 Retention Schedule

Data CategoryRetention Period
Subscriber account dataDuration of Subscription Term + 90 days
Subscriber ContentDuration of Subscription Term + 30-day Export Window (90 days active retention, 12 months in backups)
Riovis Engine crawl dataDuration of Subscription Term + 90 days
Email campaign metadata24 months from date of send
AI prompt logs90 days rolling
Video generation inputs30 days post-generation
Payment and billing records7 years (legal/tax compliance)
Security logs12 months rolling
Suppression and opt-out listsRetained indefinitely (compliance requirement)
Anonymized Usage DataRetained indefinitely (not Personal Data)

Exhibit B - Approved Sub-Processor List

Sub-ProcessorLegal EntityLocationPurposeData CategoriesPrivacy Policy
AWSAmazon.com, Inc.United StatesCloud hosting and infrastructureAll categories of Personal Dataaws.amazon.com/privacy
GCPGoogle LLCUnited StatesCloud infrastructureAll categories of Personal Datacloud.google.com/privacy
Google VeoGoogle LLCUnited StatesAI video generationPrompts, media files, brand configurationpolicies.google.com/privacy
OpenAIOpenAI, L.L.C.United StatesLLM inferenceContent prompts, brand configurationopenai.com/policies/privacy-policy
AnthropicAnthropic PBCUnited StatesAI inferenceContent prompts, brand configurationanthropic.com/privacy
StripeStripe, Inc.United StatesPayment processing and billingBilling name, email, payment card details, transaction recordsstripe.com/privacy
ResendResend, Inc.United StatesEmail deliveryEmail addresses, content, metadataresend.com/privacy
MetaMeta Platforms, Inc.United StatesSocial publishing and advertisingAd creative, targeting parameters, page tokensfacebook.com/privacy/policy
ShopifyShopify Inc.CanadaE-commerce synchronizationProducts, orders, storefront configurationshopify.com/legal/privacy

Note on AI Sub-Processors: All AI Sub-Processors (OpenAI, Anthropic, Google Veo/GCP) are engaged through API configurations that contractually prohibit the use of customer data for model training. The Subscriber is encouraged to review the privacy policies linked above for each AI Sub-Processor.

Exhibit C - Technical and Organizational Security Measures

C.1 Access Control

  • Role-based access control (RBAC) enforced across all systems and environments;
  • Multi-factor authentication (MFA) required for all personnel accessing production systems;
  • Unique credentials assigned to each authorized user; shared accounts are prohibited;
  • Quarterly access reviews to verify that access rights are appropriate and revoke unnecessary privileges;
  • Privileged Access Management (PAM) for administrative and elevated-privilege accounts.

C.2 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher;
  • All data at rest is encrypted using AES-256 encryption;
  • Encryption keys are managed using Hardware Security Modules (HSM) and/or cloud-native Key Management Services (KMS);
  • Backups are encrypted using the same standards as production data.

C.3 Network Security

  • Infrastructure hosted with ISO 27001 certified cloud providers (AWS and GCP);
  • Network segmentation to isolate production, staging, and development environments;
  • Web Application Firewall (WAF) deployed to protect against common web exploits;
  • Distributed Denial of Service (DDoS) protection;
  • Intrusion Detection and Prevention Systems (IDS/IPS);
  • Regular vulnerability scanning of network infrastructure.

C.4 Application Security

  • Secure Software Development Lifecycle (SSDLC) practices;
  • Software Composition Analysis (SCA) scanning for third-party dependencies;
  • Application development aligned with OWASP Top 10 security risk mitigation;
  • Annual penetration testing conducted by qualified third-party assessors;
  • API security controls including OAuth 2.0 authentication, API key management, and rate limiting.

C.5 Logging and Monitoring

  • Security Information and Event Management (SIEM) system for centralized log aggregation and analysis;
  • Real-time alerting for anomalous activity and potential security events;
  • Immutable audit logs retained for a minimum of twelve (12) months;
  • 24/7 monitoring of production systems and security infrastructure.

C.6 Data Minimization

  • Pseudonymization techniques applied where technically feasible;
  • Production data is not used in development or testing environments;
  • API integrations request only the minimum data necessary for the intended Processing purpose.

C.7 Physical Security

  • Production infrastructure is hosted in AWS and GCP datacenters that maintain SOC 2 Type II, ISO 27001, and PCI DSS certifications, with biometric access controls and CCTV surveillance;
  • Company office facilities are secured with keycard access control;
  • No production data is stored on physical media or local devices.

C.8 Personnel Security

  • Annual security awareness and data protection training for all personnel;
  • Background screening for personnel with access to production systems;
  • Confidentiality obligations binding all personnel who access Personal Data;
  • Designated Data Protection Officer (DPO) responsible for overseeing compliance;
  • Vendor risk assessments conducted prior to engaging new Sub-Processors.

C.9 Business Continuity and Disaster Recovery

  • Daily automated backups of all production data;
  • Annual Disaster Recovery Plan (DRP) tests with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO);
  • Geographic redundancy across multiple availability zones and/or regions.