Data Processing Addendum

Effective date: 2 June 2026 · Last updated: 2 June 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Coedify Technology LLP ("Coedify", "we", "Processor") and the Customer that subscribes to revsko ("Customer", "Controller") and governs Coedify's processing of personal data on the Customer's behalf. It is incorporated by reference into the Terms of Service and any Order. If you require a signed counterpart, write to privacy@revsko.com.

1. Definitions

"Applicable Data Protection Law" means data protection and privacy laws applicable to the parties' processing of Personal Data, including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection, US state privacy laws (such as the CCPA/CPRA), and India's Digital Personal Data Protection Act 2023 ("DPDP").
"Personal Data" means information within Customer Data that relates to an identified or identifiable natural person, including any equivalent term under DPDP.
"Sub-processor" means a third party engaged by Coedify to process Personal Data on the Customer's behalf.
Other capitalised terms have the meanings given in the Terms of Service.

2. Roles and instructions

As between the parties, the Customer is the controller (or data fiduciary, where applicable) and Coedify is the processor (or data processor, where applicable) of Personal Data within Customer Data. Coedify will process Personal Data only on the Customer's documented instructions, including those given through the Service's configuration, the Terms, and any Order, and as required by law (in which case Coedify will inform the Customer unless prohibited).

3. Scope of processing

The subject matter, duration, nature and purpose of processing, categories of data subjects, and categories of Personal Data are described in Annex A.

4. Confidentiality

Coedify will ensure that personnel authorised to process Personal Data are bound by confidentiality obligations and trained on data protection responsibilities.

5. Security

Coedify will implement and maintain appropriate technical and organisational measures to protect Personal Data, as described on the Security page and summarised in Annex B. These measures are subject to technical progress and may be updated provided the level of protection is not materially reduced.

6. Sub-processors

The Customer provides a general authorisation for Coedify to engage the Sub-processors listed at revsko.com/security/#subprocessors and to engage additional Sub-processors that adhere to the requirements of this DPA. Coedify will impose, by written contract, data-protection obligations on each Sub-processor that are substantively no less protective than those Coedify owes the Customer under this DPA, including the obligations required by Article 28(3) of the EU/UK GDPR. In accordance with Article 28(4) of the EU/UK GDPR, Coedify remains fully liable to the Customer for the performance of each Sub-processor's data-protection obligations under this DPA.

Customers may subscribe to advance notice of additions or replacements to the Sub-processor list by emailing privacy@revsko.com. Coedify will give at least 30 days' advance notice (or such shorter period as is reasonable for urgent security or operational changes). The Customer may object on reasonable grounds related to data protection within 14 days of notice. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service for the remainder of the then-current term and receive a pro-rata refund of pre-paid, unused fees for that portion.

7. Data subject rights

Taking into account the nature of the processing, Coedify will provide reasonable assistance to the Customer (through appropriate technical and organisational measures, and to the extent possible) to fulfil the Customer's obligations to respond to data-subject requests under Applicable Data Protection Law. Coedify will promptly notify the Customer if it receives a request from a data subject relating to Customer Data and will not respond directly, except to direct the data subject to the Customer.

8. Assistance to the Customer

Coedify will provide reasonable assistance to the Customer with: (a) data protection impact assessments and prior consultations with supervisory authorities; (b) notifications of personal data breaches; and (c) information necessary to demonstrate compliance with this DPA, taking into account the nature of the processing and the information available to Coedify.

9. Personal data breach

Coedify will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to assist the Customer in meeting any breach-notification obligations under Applicable Data Protection Law. Coedify will take reasonable steps to investigate, contain, and remediate the breach.

10. Return and deletion of Personal Data

On termination of the Service, Coedify will, at the Customer's choice, delete or return Personal Data, and delete existing copies, unless retention is required by law. The Service provides functionality to export Customer Data; details are in the Privacy Policy. Backup deletion follows the standard backup cycle.

11. Audits

Coedify will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Where required by Applicable Data Protection Law, the Customer (or an independent auditor mandated by the Customer and acceptable to Coedify) may, on reasonable prior written notice and at the Customer's expense, audit Coedify's compliance no more than once per year, except where required by a supervisory authority. Audits will be conducted during business hours, subject to confidentiality, and designed to minimise disruption.

12. International data transfers

12.1 EU Standard Contractual Clauses

Where Personal Data within the scope of the EU GDPR is transferred from the EEA to a country that does not benefit from a European Commission adequacy decision, the parties incorporate by reference the European Commission's Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (the "EU SCCs"), with the following completion:

Module. Module Two (controller-to-processor) applies where the Customer acts as controller. Module Three (processor-to-processor) applies where the Customer acts as a processor on behalf of its own customer or other controller. Both Modules are deemed completed by these Terms.
Clause 7 (docking). Applies.
Clause 9 (sub-processors). Option 2 (general written authorisation) applies, with the notice period set out in section 6 of this DPA.
Clause 11 (redress). The optional independent-dispute-resolution provision does not apply.
Clause 17 (governing law). The EU SCCs are governed by the law of the EU Member State of the data exporter where that Member State allows third-party-beneficiary rights; if the data exporter is not established in an EU Member State that so allows, the EU SCCs are governed by the law of Ireland.
Clause 18 (forum and jurisdiction). The courts of the EU Member State whose law governs Clause 17 have jurisdiction; failing that, the courts of Ireland.
Annexes. Annex I.A (parties), Annex I.B (description of transfer), Annex I.C (competent supervisory authority), Annex II (technical and organisational measures), and Annex III (Sub-processors) are completed by Annex 1, Annex A, Annex B, and the Sub-processor list of this DPA.

12.2 UK International Data Transfer Addendum

Where Personal Data within the scope of the UK GDPR is transferred from the United Kingdom to a country that does not benefit from a UK adequacy regulation, the parties incorporate by reference the UK Information Commissioner's International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum"), version B1.0, as in force from time to time, with the following completion:

Table 1 (parties). Exporter: the Customer; Importer: Coedify Technology LLP, C-89, 5th Floor, Sector 2, Noida, UP 201301, India; key contact privacy@revsko.com; signature deemed given by execution of the Order incorporating this DPA.
Table 2 (selected SCCs, modules and selected clauses). The EU SCCs as completed in section 12.1 above apply, including the Module selected and clause selections made there.
Table 3 (appendix information). Annex 1A, 1B, II, and III are completed by Annex 1, Annex A, Annex B, and the Sub-processor list of this DPA.
Table 4 (ending the Addendum). Either the importer or the exporter may end the Addendum as set out in section 19 of the Addendum.

12.3 Swiss FADP

Where Personal Data within the scope of the Swiss Federal Act on Data Protection ("FADP") is transferred from Switzerland to a country without an adequacy recognition under the FADP, the EU SCCs in section 12.1 apply with the following adaptations: references to the GDPR are read as references to the FADP; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner ("FDPIC"); references to EU Member State and EU courts are read, where the transfer concerns Swiss data subjects exclusively, as references to Switzerland and Swiss courts; and the SCCs protect the personal data of legal entities for the period during which the FADP so requires.

12.4 Other regimes (including India DPDP)

For transfers covered by other regimes (including transfers from India under the DPDP Act and the DPDP Rules 2025), the parties will implement the safeguards required by the applicable regime, including any restriction or notified-country requirement issued by the Indian Government under section 16 of the DPDP Act.

13. California and other US state laws

When Coedify processes Personal Data on the Customer's behalf in scope of the California Consumer Privacy Act as amended by the CPRA ("CCPA", Cal. Civ. Code §1798.100 et seq.) or other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and equivalents), Coedify acts as a "service provider" or "processor" (and not as a "third party") and the Customer is the "business" or "controller". Coedify will:

process Personal Data only for the specific business purposes set out in this DPA and the Order, and not for any other purpose;
not "sell" Personal Data, and not "share" Personal Data for cross-context behavioural advertising, as those terms are defined under applicable US state law;
not retain, use, or disclose Personal Data outside the direct business relationship between Coedify and the Customer, or for any commercial purpose other than performing the Service;
not combine Personal Data received from or on behalf of the Customer with Personal Data received from or on behalf of any other person, or that Coedify collects from its own interaction with consumers, except as permitted to perform a business purpose under 11 CCR §7050(b) (and the equivalent provisions of other US state regulations);
notify the Customer promptly in writing if Coedify determines that it can no longer meet its obligations under the CCPA or any other US state privacy law;
grant the Customer the right, upon reasonable notice, to take reasonable and appropriate steps (including audits in line with section 11) to ensure that Coedify uses Personal Data in a manner consistent with the Customer's obligations under applicable US state privacy law, and to stop and remediate any unauthorised use;
impose by contract on each Sub-processor the same restrictions on retention, use, disclosure, sale, sharing, and combination of Personal Data that apply to Coedify under this section, including the obligations required by 11 CCR §7051;
provide the same level of privacy protection required of the Customer under the applicable US state law;
cooperate with the Customer's response to verifiable consumer requests for access, deletion, correction, opt-out, and limitation of use of sensitive personal information.

Coedify certifies that it understands and will comply with the restrictions in this section.

14. India DPDP

Where India's Digital Personal Data Protection Act 2023 and the Digital Personal Data Protection Rules 2025 apply ("DPDP"), the Customer acts as the "Data Fiduciary" and Coedify acts as a "Data Processor" engaged by the Data Fiduciary under a valid contract. Coedify will:

process Digital Personal Data only on the documented instructions of the Data Fiduciary and as required by Indian law;
implement reasonable security safeguards as required by the DPDP and the DPDP Rules 2025, including breach-notification support;
assist the Data Fiduciary with notices, consent management, withdrawal of consent, data-principal requests (including access, correction, completion, updating, erasure, grievance, and nomination), and Data Protection Board enquiries on the timelines prescribed by the DPDP Rules;
maintain records of processing as required by the Data Fiduciary or the DPDP Rules;
delete or return Personal Data on termination of the engagement, as set out in section 10;
engage Sub-processors only on terms consistent with the DPDP and this DPA.

The Customer remains the Data Fiduciary under the DPDP and is responsible for the obligations placed on Data Fiduciaries, including the appointment of a grievance officer where required and the management of Significant Data Fiduciary obligations if so designated.

15. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service.

16. Order of precedence

To the extent of any conflict between this DPA and the Terms or an Order, this DPA prevails on matters of data protection. The Standard Contractual Clauses prevail over this DPA only to the extent legally required.

Annex 1 — Parties, description of transfer, and competent supervisory authority (SCC Annex I)

1.A Parties

Data exporter. The Customer, as identified in the applicable Order. Role: controller (Module Two) or processor (Module Three). Contact: as set out in the Order. Signature and date: deemed given by execution of the Order incorporating this DPA.

Data importer. Coedify Technology LLP. Address: C-89, 5th Floor, Sector 2, Noida, Uttar Pradesh 201301, India. Activities relevant to the transfer: providing the revsko Service as described in Annex A. Role: processor (Module Two) or sub-processor (Module Three). Contact: privacy@revsko.com. Signature and date: deemed given by acceptance of these Terms and the Order incorporating this DPA.

1.B Description of transfer

Categories of data subjects: see Annex A.
Categories of personal data: see Annex A.
Sensitive data: not transferred unless expressly agreed in writing; if exceptionally transferred, the additional safeguards described in Annex B apply, including encryption at rest and in transit, strict access controls, and audit logging.
Frequency: on a continuous basis, for the duration of the Service.
Nature of the processing: hosting, storage, retrieval, organisation, structuring, consultation, use, disclosure by transmission, erasure, and destruction, in each case as needed to operate the Service.
Purpose: providing and improving the revsko Service for the authorising Customer and user, as further described in Annex A.
Retention: as set out in Privacy Policy section 10.
Sub-processors: as listed and updated at revsko.com/security/#subprocessors.

1.C Competent supervisory authority

For Module Two transfers from the EEA, the competent supervisory authority is the supervisory authority of the EU Member State in which the data exporter is established; if the data exporter is not established in the EU, it is the supervisory authority of the EU Member State in which the data exporter's EU representative under Article 27 GDPR is established, or, failing both, the supervisory authority of the EU Member State in which the data subjects whose personal data is transferred are located. For Module Three transfers, the competent supervisory authority is the supervisory authority applicable to the data exporter in its role as processor. For UK transfers under the UK Addendum, the competent supervisory authority is the UK Information Commissioner's Office. For Swiss transfers, the competent supervisory authority is the FDPIC (and the EDPB / lead supervisory authority where applicable).

Annex A — Description of processing

Subject matter: provision of the revsko Service to the Customer.
Duration: for the term of the Customer's subscription and the deletion period described in the Privacy Policy.
Nature and purpose: operating the Customer's configured outbound workflow, including research, drafting, sending, reply triage, follow-up, and outcome measurement.
Categories of data subjects: Customer's personnel and authorised users; the Customer's prospects, contacts, and recipients; people the Customer otherwise authorises Coedify to process information about.
Categories of Personal Data: names, business contact details (email, phone, LinkedIn), job titles, company affiliations, message content and metadata, calendar events, workflow state, audit logs, and information retrieved through Customer-authorised integrations (such as Google Workspace or Microsoft 365).
Sensitive data: the Service is not designed for processing special categories of personal data or sensitive personal data, and the Customer agrees not to upload such data unless expressly agreed in writing with Coedify.
Frequency: continuous, for the duration of the Service.
Retention: as described in section 10 of the Privacy Policy.

Annex B — Technical and organisational measures (SCC Annex II)

Coedify applies the following technical and organisational measures, which may be updated provided the level of protection is not materially reduced. Additional detail is published on the Security page and incorporated here by reference.

Pseudonymisation and encryption. TLS 1.2 or higher in transit. AES-256 (or equivalent provided by the underlying cloud platform) at rest, including for OAuth tokens and message content. Secrets and provider credentials are held in a managed secret store with access audit logging.
Confidentiality, integrity, availability, and resilience of processing systems. Tenant-isolated data stores; role-based access control with least privilege; multi-factor authentication for production access; managed cloud infrastructure with provider-operated physical security; network segmentation between public and internal services; centralised logging and monitoring of security and operational events; capacity and rate-limit controls.
Ability to restore the availability of and access to Personal Data in a timely manner. Regular encrypted backups; documented disaster-recovery and restoration procedures; periodic recovery testing.
Regular testing, assessment, and evaluation of effectiveness. Code review and dependency scanning on production changes; vulnerability monitoring and patching; periodic internal review of security controls; intent to pursue independent certification (ISO 27001 / SOC 2) as the business scales.
Measures for user identification and authorisation. Federated sign-in (Google / Microsoft) where chosen by the Customer; per-tenant role-based access control (Admin / Sales Rep / Viewer); least-privilege agent permissions (Research reads only; Outreach sends only approved drafts).
Measures for the protection of data during transmission. TLS 1.2+ for all client and server-to-server traffic; HSTS on the marketing site; signed webhooks for provider callbacks where supported by the provider.
Measures for the protection of data during storage. Encryption at rest; minimum-necessary retention as set out in Privacy Policy section 10; OAuth tokens deleted on disconnection.
Measures for ensuring physical security of locations at which Personal Data is processed. Production infrastructure hosted in cloud-provider data centres with industry-standard physical security operated by the provider.
Measures for ensuring events logging. Application audit logging of administrative actions, approvals, sub-processor calls, and access to Customer Data; centralised log aggregation; tamper-resistant log retention up to 90 days.
Measures for ensuring system configuration, including default configuration. Hardened defaults; configuration as code; secrets not committed to source control; change management with code review.
Measures for internal IT and IT security governance and management. Written security policies; designated security contact at security@revsko.com; vendor due diligence on Sub-processors; documented incident-response procedure.
Measures for certification / assurance of processes and products. Mapping to recognised frameworks (ISO 27001, SOC 2); plans for independent assessment.
Measures for ensuring data minimisation. OAuth scopes are limited to the minimum required for the configured features (see Privacy §5). Customer Data fields are limited to those needed for the workflow.
Measures for ensuring data quality. Contact de-duplication; enrichment audit trail; data-correction tooling.
Measures for ensuring limited data retention. See Privacy Policy section 10.
Measures for ensuring accountability. This DPA and the records of processing maintained under it; audit log retention; cooperation with Customers' data-subject-rights responses.
Measures for allowing data portability and ensuring erasure. XLSX export of Customer-owned contact and company records; deletion routes documented in the Privacy Policy.
Measures for transfers to (sub-)processors. Written sub-processor agreements; Article 28-equivalent obligations flowed down; full liability of Coedify for Sub-processor performance under Article 28(4).

The list of authorised Sub-processors is published at revsko.com/security/#subprocessors and forms Annex III to the SCCs.

Contact

Coedify Technology LLP
C-89, 5th Floor, Sector 2, Noida, Uttar Pradesh 201301, India
Privacy: privacy@revsko.com
Legal: legal@revsko.com