Data Processing Addendum

This Data Processing Addendum forms part of the legal framework between Revsnap and the customer that uses the service. It applies where Revsnap processes personal data on the customer's behalf in connection with the service.

This Addendum should be read together with the Terms of Service, the Privacy Policy, and any applicable order form or enterprise agreement.

For customer personal data processed through the service, the customer generally acts as controller and Revsnap acts as processor. This Addendum governs that processor relationship.

To the extent Revsnap processes data as an independent controller, that processing is governed by the Privacy Policy rather than this Addendum.

• Subject matter: provision of the Revsnap regression testing service.
• Nature and purpose: hosting, storing, transmitting, comparing, and otherwise processing personal data submitted to provide the service.
• Data subjects: customer personnel and individuals whose data appears in customer-controlled Salesforce records processed through the service.
• Categories of personal data: identifiers, professional details, account data, authentication artifacts, and customer-selected Salesforce business records that may incidentally include personal data.
• Special categories: not expected and should not be submitted unless expressly agreed in writing.

The customer is responsible for:

• Having a lawful basis for the personal data it submits or asks Revsnap to process.
• Providing required notices and obtaining required consents from data subjects where applicable.
• Issuing processing instructions through the service and applicable written agreement.

• Process personal data only on the customer's documented instructions, except where required by law.
• Ensure authorized personnel are bound by appropriate confidentiality obligations.
• Maintain technical and organizational measures appropriate to the risk.
• Assist the customer with data-subject requests, security obligations, and breach response as required by applicable law.
• Delete or return personal data at the end of the service relationship, subject to limited residual retention required by law or backup processes.

Revsnap maintains administrative, technical, and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Those measures include access controls, encryption in transit, managed protections for stored service data and sensitive credentials, auditability of key workflows, and documented incident-response and operational procedures.

The customer authorizes Revsnap to use subprocessors that are reasonably necessary to host, operate, secure, and support the service.

Revsnap maintains a current public list at Sub-processors. Revsnap will provide advance notice of material subprocessor changes in line with its published process.

If Revsnap receives a request relating to customer-controlled personal data, Revsnap will route the request to the customer unless required by law to respond directly.

Revsnap will provide reasonable assistance to help the customer respond to data-subject requests and meet applicable security, breach, and regulatory obligations, taking into account the nature of the processing and the information available to Revsnap.

Revsnap will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data and will provide relevant information reasonably available at the time.

Revsnap will cooperate with the customer in connection with investigation, containment, remediation, and legally required notifications.

On termination of the service relationship, the customer may use available service capabilities or agreed transition procedures to export customer data during any applicable post-termination access period.

After that period, Revsnap will delete customer personal data from production systems within a reasonable timeframe, subject to legal retention obligations and limited residual backup retention.

Where personal data is transferred from the UK, EEA, or other restricted jurisdictions to locations without an adequacy decision, Revsnap uses appropriate contractual or legal safeguards, including standard contractual transfer mechanisms where required.

Revsnap may provide customers with reasonable information to demonstrate compliance with this Addendum, including this public page, the subprocessor list, and additional documentation or questionnaire responses during enterprise review.