This Data Processing Agreement ("DPA") forms an integral part of, and is subject to, the applicable subscription, license, or service agreement, order form, or online Terms of Service between the Customer and Klaver Solutions (the "Master Agreement") governing the use of the Revano platform.
Processor: Klaver Solutions, Blaasbalg 14, 8253LX Dronten, The Netherlands, KVK 91096111.
Controller: The customer entity that has entered into the Master Agreement and uses Revano to process personal data.
Relationship: For end‑user personal data processed through Revano, the Customer is the Controller and Klaver Solutions is the Processor. For limited account and billing data, Klaver Solutions may act as an independent controller (as described in the Privacy Policy). This DPA applies only where Klaver Solutions acts as Processor.
The Processor processes personal data on behalf of the Controller to provide and support Revano’s dispute‑readiness, evidence‑logging, and audit platform.
Processing may include collection, receipt, recording, organization, storage, adaptation, retrieval, analysis (operational/logging/security), export, transmission, deletion, and destruction.
The Processor shall not process personal data for unrelated purposes or for marketing, profiling, or resale.
This DPA is effective while the Processor processes personal data on behalf of the Controller under the Master Agreement. Upon termination or expiry, the Processor will follow Section 14 (Return and Deletion of Data), including the 90‑day retention/purge logic.
The actual data submitted is determined solely by the Controller.
The Controller is responsible for informing data subjects where required by law.
The Processor shall only process personal data per documented instructions from the Controller, including transfers, unless required by EU or Member State law. The Master Agreement and this DPA constitute the Controller’s instructions; any additional instructions must be agreed in writing. If an instruction violates law, the Processor will inform the Controller and may suspend performance.
The Controller shall implement minimization and acknowledges the Processor has no obligation to assess content for legal violations.
The Processor ensures authorized persons are bound by confidentiality and restricts access using role‑based controls where appropriate.
The Processor implements appropriate technical and organizational measures per Article 32 GDPR, including secure password hashing (e.g., PBKDF2‑SHA256), encryption of sensitive secrets, TLS, secure sessions, CSP and CSRF enforcement, logging/auditing, rate limiting and IP throttling, per‑tenant isolation, tamper‑evident hashes for exports, and ongoing hardening. Measures may evolve provided security is not materially decreased.
The Processor may engage sub‑processors (infrastructure, storage, email, support tooling, payment services). Sub‑processors are bound by written contracts with protections at least as strong as this DPA. The Processor remains responsible and may provide lists or descriptions; updates may occur with legal rights to object where required.
Transfers to non‑EEA countries without adequacy will use appropriate safeguards (e.g., Standard Contractual Clauses). Information about safeguards may be provided upon request where permitted.
The Processor will reasonably assist with data subject requests and compliance obligations (security, DPIAs, consultations) to the extent related to data processed by the Processor. Direct requests will be referred to the Controller where possible.
The Processor will notify the Controller without undue delay upon becoming aware of a personal data breach, including, where available, the nature, scope, consequences, and measures taken or proposed to address the breach, and will cooperate to enable compliance.
The Processor will make available information necessary to demonstrate compliance. Subject to notice, frequency, and confidentiality limits, the Controller may audit once per year or more when required by law or following an incident. Audits may be satisfied by current certifications or independent reports where available.
Upon termination, the Controller may export its data. After the Master Agreement ends, data is retained up to 90 days, then irreversibly deleted unless legally required to retain limited records. The Controller may request deletion at any time; the Processor will delete per instructions unless law requires retention, and will confirm deletion upon request.
Liability follows the limitations in the Master Agreement unless prohibited by law. The Controller indemnifies the Processor for claims arising from the Controller’s non‑compliance (e.g., unlawful/excessive transmission, lack of notices or consents, violation of the Master Agreement).
This DPA is governed by the laws of The Netherlands. Disputes are subject to the exclusive jurisdiction of the competent courts of The Netherlands, unless otherwise mandated.
In the event of a conflict between this DPA and the Master Agreement, the provisions of this DPA prevail to the extent the conflict relates to processing of personal data under data protection laws.
Klaver Solutions
Blaasbalg 14
8253LX Dronten
The Netherlands
KVK 91096111
Email: [email protected]