Data Processing Addendum

Effective: September 27, 2021

This Data Processing Addendum (“DPA”) forms part of the SaaS Services Agreement or Terms of Use available at https://www.revenuecat.com/terms or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and RevenueCat, Inc. (“RevenueCat”), pursuant to which Customer has accessed RevenueCat’s Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regards to the processing of Customer Personal Data in accordance with the requirements of Data Protection Legislation.

In this DPA, “Data Protection Legislation” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the California Civil Code (“CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”). EU Data Protection Law includes (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).

In the course of providing the Application Services to Customer pursuant to the Agreement, RevenueCat may process Customer Personal Data. “Customer Personal Data” means any data which is defined as ‘personal data’ or ‘personal information’ under applicable Data Protection Legislation processed by RevenueCat pursuant to the Agreement. RevenueCat agrees to comply with the following provisions with respect to Customer Personal Data. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.

By entering into this DPA, Customer instructs RevenueCat to Process Customer Personal Data: (a) to provide the Application Services in accordance with the features and functionality of the Application Services and related documentation; (b) to enable Customer’s authorized user-initiated actions on and through the Application Services; (c) as set forth in the Agreement and applicable order; and (d) as further documented by written instructions given by Customer. Notwithstanding the foregoing, RevenueCat will inform Customer promptly if it becomes aware that Customer’s instructions may violate applicable Data Protection Legislation.

Data Processing Terms

The parties agree that Customer is the data controller and that RevenueCat is its data processor in relation to Customer Personal Data. Customer shall comply at all times with Data Protection Legislation in respect of all Personal Data it provided to RevenueCat pursuant to the Agreement. The subject matter of the data processing covered by this DPA is the Application Services ordered by Customer either through RevenueCat’s website or through an order and provided by RevenueCat to Customer via www.revenuecat.com, or as additionally described in the Agreement or the DPA. The processing will be carried out for the term of the Agreement or until the term of Customer’s ordering of the Application Services ceases. Further details of the data processing are set out in Annexes 1A, 1B, 1C, 2, and 3 hereto.

In Paragraphs 1 through 11 below, (a) “data controller”, “data processor”, “Data Subject”, “Personal Data”, “processing”, “Supervisory Authority”, and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable EU Data Protection Law and (b) “Customer Personal Data” shall refer to Customer Personal Data comprising of personal data of data subjects located in the European Economic Area (“EEA). 

In respect of Customer Personal Data, RevenueCat:

  1. shall process the Customer Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to RevenueCat from time to time). If RevenueCat is required to process the personal data for any other purpose provided by applicable law to which it is subject, RevenueCat will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest; and
  2. shall notify Customer without undue delay if, in RevenueCat’s opinion, an instruction for the processing of personal data given by Customer infringes applicable EU Data Protection Law.
  3. shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure (including those outlined in Annex 2 of this DPA, (“Security Measures”). These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of Customer Personal Data which is to be protected. RevenueCat may make such changes to the Security Measures as RevenueCat deems necessary or appropriate from time to time, including without limitation to comply with applicable law, provided no such changes will materially reduce the overall level of protection for Customer Personal Data.
  4. may hire other companies or persons for the purposes of providing the Application Services (“Sub-Processors”), including those set forth in Annex 3, provided that RevenueCat complies with the provisions of this DPA. Any such Sub-Processors will be permitted to process Customer Data only to deliver the Application Services RevenueCat has retained them to provide, and they shall be prohibited from using Customer Data for any other purpose. RevenueCat remains responsible for its Sub-Processors’ compliance with the obligations of this DPA. Any Sub-Processors to whom RevenueCat transfers Customer Data will have entered into written agreements with RevenueCat requiring that the Sub-Processor abide by terms no less protective than those in this DPA. If Customer requires prior notification of any updates of additional Sub-Processor to the list of Sub-Processors, Customer can request such notification in writing by emailing compliance@revenuecat.com. RevenueCat will update the Sub-Processor list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Legislation. If, in RevenueCat’s reasonable opinion, such objections are legitimate, and RevenueCat is unable to modify the Application Services to prevent disclosure of Customer Data to the Sub-Processor, then Customer may, by providing written notice to RevenueCat, terminate the Agreement.
  5. shall take appropriate steps to ensure that all RevenueCat personnel required to access the Customer Personal Data are informed of the confidential nature of the personal data and comply with the appropriate technical and organizational measures, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate obligations of confidentiality.
  6. at the Customer’s request and cost (and insofar as is possible), shall reasonably assist the Customer by implementing appropriate and reasonable technical and organizational measures to assist with the Customer’s obligation to respond to requests from Data Subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data), provided RevenueCat is legally permitted to do so and that the Data Subject request was made in accordance with relevant Data Protection Legislation, and provided that RevenueCat reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance. If RevenueCat receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, RevenueCat will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Application Services. Customer hereby agrees that RevenueCat may confirm to a Data Subject that his or her requests relates to Customer.
  7. take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of the General Data Protection Regulation taking into account the nature of the processing under this DPA, provided that RevenueCat reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
  8. at the end of the applicable term of the Application Services, upon Customer’s request, RevenueCat shall securely destroy or return to Customer any Customer Data within RevenueCat’s possession or control, subject to RevenueCat’s standard data backup and archival practices. Such request must be made within thirty (30) days of termination. Thereafter RevenueCat may permanently delete the Customer Personal Data from its live systems.
  9. where required by Data Protection Legislation, shall allow, no more than once every 12 months and at Customer’s expense, Customer and its respective auditors or authorized agents to conduct audits or inspections of RevenueCat’s procedures relevant to the protection of Customer Personal Data to verify RevenueCat’s compliance with its obligations under this DPA during the term of the Agreement, provided that Customer has given RevenueCat at least forty-five (45) days prior written notice and such audit or inspection is conducted during reasonable business hours with minimal disruption to RevenueCat. Such audit may be carried out by Customer or an inspection body mutually agreed upon by the parties and composed of independent members in possession of the required professional qualifications and bound by a duty of confidentiality. Such audit shall have a duration of no longer than 48 hours. Representatives of Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement, and shall abide by RevenueCat’s security policies while on RevenueCat’s premises. Upon completion of an audit, Customer agrees to promptly furnish to RevenueCat any written audit report or, if no written report is prepared, to promptly notify RevenueCat of any non-compliance discovered during the course of the audit. For the avoidance of doubt no access to any part of RevenueCat’s IT system, data hosting sites or centers, or infrastructure will be permitted as part of an audit or inspection.
  10. RevenueCat shall provide information reasonably requested by Customer to demonstrate compliance with the obligations set out in this DPA
  11. Subject to the terms and conditions of the Agreement and EU Data Protection Law, RevenueCat currently makes available the Standard Contractual Clauses (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en) as a transfer mechanism. The Standard Contractual Clauses (“SCCs”) apply to any transfer of Customer Personal Data under this DPA from the European Economic Area (EEA) to a country which is not deemed to have Adequacy as defined in EU Data Protection Law (to the extent such transfers are subject to EU Data Protection Law). The Standard Contractual Clauses and the terms of this Paragraph apply to the legal entity that executed the Standard Contractual Clauses as “data exporter” and its participating affiliates, all of which shall be deemed “data exporters.” For the purposes of the EU SCCs: (i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Customer Personal Data; (ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and RevenueCat may engage Sub-Processors as described in Paragraph 3 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Paragraph 8 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Customer Personal Data will be returned and/or destroyed in accordance with Paragraph 7 of this DPA; (vi) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum. For the purposes of the UK SCCs: (ix) the Appendices or Annexes of the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum; and (x) the UK SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales. If and to the extent the Standard Contractual Clauses conflict with any provision of this Addendum regarding the transfer of Customer Personal Data from Customer to RevenueCat, the Standard Contractual Clauses shall prevail to the extent of such conflict.
  12. If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in this DPA, shall be deemed to include LGPD Covered Data.
  13. As used in this Paragraph 13, “Commercial Purpose”, “Consumer”, “Personal Information”, “Sell”, and “Service Provider” have the meanings assigned to them in the CCPA.

If Customer Data comprises Personal Data subject to the CCPA (“CCPA Covered Data”), RevenueCat is the Service Provider and, consistent with the requirements of the CCPA, shall not (a) Sell the CCPA Covered Data or (b) retain, use or disclose the CCPA Covered Data: (i) for any purpose, including any Commercial Purpose, other than for the specific purpose of providing and supporting the Application Services or (ii) outside of the Parties’ direct business relationship. RevenueCat certifies that it understands these restrictions and will comply with them. Customer acknowledges nothing in this Paragraph removes or lessens Customer’s obligations with respect to Personal Data under the Agreement or this DPA.

Customer will be responsible for responding to Consumer requests in relation to CCPA Covered Data (each, a “Consumer Request”). If RevenueCat receives a Consumer Request then, to the extent legally permissible, RevenueCat will advise the Consumer to submit the Consumer Request to Customer, and Customer agrees that RevenueCat may confirm to a Consumer that the Consumer Request relates to Customer. To the extent Customer is unable through its use of the Application Services to address a particular Consumer Request, RevenueCat will, upon Customer’s request and taking into account the nature of the CCPA Covered Data, provide reasonable assistance in addressing the Consumer Request (provided RevenueCat is legally permitted to do so and that Customer has verified the request in accordance with the CCPA).

Customer Responsibilities

Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Customer Data, subject to RevenueCat’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by Data Protection Legislation to, and receiving any required consents and authorizations required by Data Protection Legislation from, persons whose Personal Data may be included in Customer Data; and (c) ensuring no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Application Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Application Services or use (or permit others to use) the Application Services other than as described in the applicable Ordering Document, the Agreement and this DPA, or for any unlawful purpose.

Liability

Each Party’s (and each of its affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Data Protection Legislation.

Term and Termination

Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement.

Annex 1A

LIST OF PARTIES

Data exporter(s):

  • Name: The Customer entity identified in the Agreement or on an applicable Ordering Document. 
  • Address: The Customer’s address specified on the Ordering Document. 
  • Contact person’s name, position and contact details: The Customer’s contact nominated for receiving notifications, as set forth above in the DPA.
  • Activities relevant to the data transferred under the Standard Contractual Clauses: The data exporter is a customer of the data importer and utilizing the data importer’s services as described in more detail in the Agreement. 
  • Role (controller/processor): Controller and/or Processor.

Data importer(s):  

  • Name: RevenueCat, Inc.
  • Address: 633 Taraval St. Suite 101, San Francisco, CA, 94116
  • Contact person’s name, position and contact details: Miguel Carranza, Chief Technology Officer, compliance@revenuecat.com
  • Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement. 
  • Role (controller/processor): Processor. 

Annex 1B

DESCRIPTION OF THE TRANSFER

Categories of data subjects: 

Individuals about whom data is uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries, and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.

Categories of personal data: 

The Personal Data transferred may include but is not limited to the following categories of data:

Any data uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:  

  Not Applicable.

Frequency of the transfer: 

At data exporter’s discretion in using the Application Services, during the term of the Agreement. 

Nature of the processing:  

Customer Personal Data transferred will be processed in accordance with the Agreement and any Ordering Document, and may be subject to the following basic processing activities:

  1. Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Application Services – this operation relates to all aspects of Personal Data processed.
  2. Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Application Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.
  3. URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data.
  4. Disclosures in accordance with the Agreement, as compelled by Data Protection Legislation.

Purpose(s) of the data transfer and further processing: 

Personal Data is processed for the purposes of providing the Application Services in accordance with the Agreement and any applicable Ordering Document.

Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:  

Personal Data will be retained until termination or expiry of the Agreement, in accordance with Paragraph 7 of this DPA.

Annex 1C

COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.

Annex 2

TECHNICAL AND ORGANIZATIONAL MEASURES

Introduction

RevenueCat considers protection of Customer Data a top priority.  As further described in this RevenueCat Information Security Policy, RevenueCat uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under RevenueCat’s control. RevenueCat maintains these security measures and is currently in the process of being audited for SOC2 – Type II.

  1. Customer Data and Management.  RevenueCat limits its personnel’s access to Customer Data as follows:
    1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;
    2. Limits the Customer Data available to RevenueCat personnel on a “need to know” basis;
    3. Restricts access to RevenueCat’s production environment by RevenueCat personnel on the basis of business need;
    4. Encrypts user security credentials for production access; and
    5. Prohibits RevenueCat personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives and other similar devices.
  2. Data Encryption.  RevenueCat will utilize standard production ciphers using 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 for authentication or equivalent.
  3. Network Security, Physical Security and Environmental Controls
    1. RevenueCat uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Customer Data.
    2. RevenueCat maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.
    3. RevenueCat monitors privileged access to applications that process Customer Data, including cloud services.
    4. The Services operated on Amazon Web Services (“AWS”) are protected by the security and environmental controls of Amazon.  Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
  4. Independent Security Assessments.  RevenueCat periodically assesses the security of its systems and the Services as follows:
    1. Private and public security bug bounty programs.
    2. RevenueCat hires accredited third parties to perform audits and to attest SOC2 – Type 2 compliance and certifications annually .
  5. Incident Response.  If RevenueCat becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), RevenueCat will:
    1. Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
    2. Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, RevenueCat is not required to make such notice to the extent prohibited by Laws, and RevenueCat may delay such notice as requested by law enforcement and/or in light of RevenueCat’s legitimate needs to investigate or remediate the matter before providing notice.
    3. Each notice of a Breach will include:
      1. The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach;
      2. A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
      3. The scope of the Breach, to the extent known; and
      4. A description of RevenueCat’s response to the Breach, including steps RevenueCat has taken to mitigate the harm caused by the Breach.
  6. Business Continuity Management
    1. RevenueCat maintains an appropriate business continuity and disaster recovery plan.
    2. RevenueCat maintains processes to ensure failover redundancy with its systems, networks and data storage.
  7. Personnel Management
    1. RevenueCat performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law.
    2. Upon employee termination, whether voluntary or involuntary, RevenueCat immediately disables all access to RevenueCat systems, including RevenueCat’s physical facilities.

Annex 3

Entity NamePurposeLocation
ElasticA cloud service that stores our server logs and provides searching capabilitiesUSA
Amazon Web Services, IncOur servers and production infrastructure. These include (but not limited to) ECS, RDS, Redshift, Elasticsearch, and Elasticache.USA
SentryError monitoring toolUSA
HoneycombObservability tool for our production infrastructureUSA