RevCore Pro

Data Processing Addendum

Last updated June 2026

This Data Processing Addendum ("DPA") supplements the RevCore Pro Terms of Service and applies whenever RevCore Pro processes personal data on your behalf. It tracks the processor obligations under GDPR Article 28 and the service provider terms under the CCPA.

1. Roles of the parties

For data you provide to RevCore Pro about your own customers, you are the data controller and RevCore Pro is the data processor.

We process that data only on your documented instructions, except where we are required to act otherwise by applicable law.

2. Subprocessors

We use a short list of subprocessors to operate the platform, published at /subprocessors.

We will provide at least 30 days notice before adding or replacing a subprocessor, and you have the right to object on reasonable grounds.

Each subprocessor is contractually bound to data protection obligations equivalent to those in this DPA, and we remain responsible to you for their performance.

3. Security measures

We implement the technical and organizational measures described on our security page, including encryption in transit and at rest, row-level security on tenant data, audit logging, and least-privilege access controls.

Our backend runs on Supabase and payments are processed through Stripe, both of which maintain their own security and compliance programs.

4. Personal data breaches

We will notify you without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting your data.

Our notice will include the information available at the time, with further updates as our investigation continues.

5. Data subject rights

We will assist you in responding to data subject requests, including access, correction, deletion, and portability.

You can fulfill most requests using the tools within RevCore Pro, or you can send documented requests to privacy@revcorepro.com.

6. International transfers

Where personal data is transferred from the EEA, the UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses, and the UK addendum where applicable, are incorporated by reference into this DPA.

7. Audits

On reasonable advance written notice, and no more than once per year except after a confirmed incident, you may request a summary of our most recent security audit and reasonably scoped information about our processing activities.

8. Signing the DPA

To request a countersigned copy, email legal@revcorepro.com with your business name, the scope of processing, and a contact for your data protection officer or equivalent.