Data Processing Agreement

1. Subject and duration

RecensioAI processes personal data solely on the documented instructions of the Controller, in the context of the performance of the main agreement. The DPA applies for as long as RecensioAI processes personal data on behalf of the Controller.

2. Nature, purpose and categories

Nature and purpose: providing software for review management, review requests (email/SMS/QR/NFC), AI-assisted review replies, sentiment and performance analyses, posts to Google Business Profile, dashboards, reporting and related support.

Categories of data subjects:

• Employees and users of the Controller (accounts).
• End-customers of the Controller who receive a review request or leave a review.
• Authors of public reviews on linked review platforms.

Categories of personal data:

• Contact details (name, email, phone number).
• Account and authentication data.
• Business and location data, Google account/location IDs, OAuth tokens.
• Review texts, ratings, replies, AI draft replies.
• Communication and campaign metadata (send status, opens, opt-outs).
• Billing and payment data via Stripe.
• Logs (auth, audit, error events).

No special categories of personal data (Art. 9 GDPR) are processed unless the Controller enters these into free-text fields. This is discouraged.

3. Obligations of RecensioAI

• Processes personal data solely on the Controller's written (or in-app) instructions, except where required otherwise by law.
• Ensures that persons with access to personal data are bound by confidentiality.
• Implements the technical and organisational measures described in Annex II.
• Provides reasonable assistance with data subject requests, breaches, DPIAs and audits.
• Deletes or returns all personal data within 30 days after termination of the agreement, unless required otherwise by law.

4. Sub-processors

The Controller grants RecensioAI general authorisation to engage the sub-processors listed in Annex III. RecensioAI enters into an agreement with each sub-processor with substantially equivalent obligations to this DPA. Changes to the list are published at least 30 days in advance; the Controller may object within that period.

5. International transfers

For transfers to countries outside the EEA, appropriate safeguards are applied, in particular the EU Standard Contractual Clauses (Decision 2021/914) and additional technical and organisational measures where necessary.

6. Personal data breaches

RecensioAI notifies the Controller without undue delay and in any event within 48 hours after becoming aware of a personal data breach affecting the Controller's personal data, and provides the information required to comply with the notification obligations (Art. 33–34 GDPR).

7. Audits

RecensioAI makes available, upon request, the information needed to demonstrate compliance with this DPA, and allows audits by the Controller (or an independent auditor mandated by the Controller), at most once per year, after reasonable notice and during business days, at the Controller's expense.

8. Liability and applicable law

Liability is limited as agreed in the terms and conditions. This DPA is governed by Dutch law; disputes are submitted to the competent court of East Brabant, location 's-Hertogenbosch.

Annex I — Description of processing

• Account and user management.
• Review requests via email, SMS, QR and NFC.
• Reading, displaying and replying to reviews from linked platforms (Google and others).
• AI-generated draft replies (reviewed by a human before publication).
• Posts and updates to Google Business Profile.
• Sentiment and performance analyses, dashboards and reporting.
• Demo workspaces (automatically deleted after 24 hours).
• Billing and subscription management via Stripe.
• Support, helpdesk and chat.

Annex II — Technical and organisational measures

• Row-Level Security (RLS) on every database table; role-based access via a secure database function.
• Encryption in transit (TLS 1.2+) and at rest (AES-256, managed by the hosting provider).
• Authentication via Supabase Auth with hashed passwords (bcrypt/argon2) and optional 2FA.
• Cloudflare Turnstile on public forms to protect against automated attacks.
• Rate limiting, input validation and HTML escaping on all user-supplied content.
• Automated deletion: demo workspaces after 24 hours, scan reports after 10 days, prospects after 10 days.
• Backups and recovery procedures with the hosting provider.
• Access, audit and error logs with limited retention.
• Vendor management and data processing agreements with all sub-processors.

Annex III — Sub-processors