Data Processing Agreement
ReviewerZero offers a Data Processing Agreement (DPA) for institutional customers and organizations that require formal data processing terms. Our DPA is based on the Common Paper DPA Standard Terms Version 1.1, providing a clear and standardized framework for data protection.
Overview
The DPA establishes ReviewerZero as a Processor (or Subprocessor when you act as a Processor) handling Customer Personal Data on your behalf. Key provisions include:
- Processing instructions - We only process data as instructed by you
- Subprocessor management - Approved list with 10 business day notice for changes
- Security incident response - Notification within 72 hours of becoming aware
- Audit rights - Information and reports available upon request
- Data deletion - Return or delete data at DPA expiration
CCPA Provisions
For customers subject to the California Consumer Privacy Act (CCPA):
- ReviewerZero operates as a service provider as defined under CCPA
- We receive Personal Data only to provide the Service
- We do not sell or share Customer Personal Data
- We do not retain, use, or disclose data except as necessary for the Service
Approved Subprocessors
We maintain transparency about the third-party services that may process your data:
Infrastructure & Hosting
| Subprocessor | Purpose |
|---|---|
| Railway.com | Application hosting and deployment |
| Amazon Web Services (AWS) | Cloud infrastructure, file storage, email delivery, document processing |
| Google Cloud Platform (GCP) | AI services and image analysis |
AI & Machine Learning Services
| Subprocessor | Purpose |
|---|---|
| Modal.com | Machine learning model hosting and execution |
| Perplexity AI | AI-powered search and research |
| OpenAI | Large language model services |
| Anthropic | Large language model services |
| Google (Gemini) | Large language model services |
| Roboflow | Computer vision and image analysis |
| Pangram Labs | Text analysis services |
| OpenRouter | AI model routing and aggregation |
Authentication & Identity
| Subprocessor | Purpose |
|---|---|
| Google OAuth | User authentication |
Payments & Billing
| Subprocessor | Purpose |
|---|---|
| Stripe | Payment processing |
| Autumn | Subscription and billing management |
Monitoring & Analytics
| Subprocessor | Purpose |
|---|---|
| Sentry | Error monitoring and performance tracking |
| PostHog | Product analytics |
Background Processing
| Subprocessor | Purpose |
|---|---|
| Trigger.dev | Background job processing |
CRM & Marketing
| Subprocessor | Purpose |
|---|---|
| HubSpot | Customer relationship management |
Search & Data Services
| Subprocessor | Purpose |
|---|---|
| Exa.ai | Web search services |
| OpenAlex | Academic metadata services |
| Crossref | Citation and DOI services |
Communication & Scheduling
| Subprocessor | Purpose |
|---|---|
| Cal.com | Meeting scheduling |
Development & Operations
| Subprocessor | Purpose |
|---|---|
| GitHub | Source code management and CI/CD |
| Vercel Edge Config | Configuration management |
Document Processing
| Subprocessor | Purpose |
|---|---|
| Datalab | Document parsing |
Data Processing Details
Categories of Data Subjects
- Customer's end users or customers
Categories of Personal Data
- Contact information (email, phone number, address)
- Professional or biographic information (resume, CV)
Nature and Purpose of Processing
| Activity | Description |
|---|---|
| Receiving data | Collection, accessing, retrieval, recording, data entry |
| Holding data | Storage, organization, structuring |
| Using data | Analysis, consultation, testing, automated decision making |
| Protecting data | Restricting, encrypting, security testing |
| Erasing data | Destruction and deletion |
Processing Duration
Data is processed as long as required to:
- Conduct the processing activities instructed by you
- Comply with applicable laws
International Data Transfers
EEA Transfers
For transfers from the European Economic Area:
- We implement EU Standard Contractual Clauses (SCCs)
- Module Two (Controller to Processor) or Module Three (Processor to Subprocessor) as applicable
- Governing law: Belgium
- 10 business day notice for subprocessor changes
UK Transfers
For transfers from the United Kingdom:
- We implement the UK Addendum to EU SCCs
- Governing law: England and Wales
Swiss Transfers
For transfers where Swiss law applies:
- References to GDPR amended to Swiss Federal Data Protection Act
- Swiss Federal Data Protection and Information Commissioner as supervisory authority
Security Measures
ReviewerZero implements commercially reasonable security measures to protect Customer Personal Data:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication
- Regular security audits and penetration testing
- Incident response procedures
- Employee security training
For details, see our Privacy and Security documentation.
Audit Rights
Customers have the right to audit ReviewerZero's compliance with the DPA:
- Security reports - Available upon written request (confidential)
- Due diligence responses - Annual questionnaire responses available
- Compliance records - Maintained for 3 years after DPA expiration
All audit requests should be directed to support@reviewerzero.ai.
Data Deletion
During the Agreement
- Customers can delete their data at any time through the Service
- Deletion requests are processed promptly
At DPA Expiration
- Data is returned or deleted at customer instruction
- Deletion certification available upon request
- Data may be retained only if required by applicable law
Subprocessor Change Notifications
We provide at least 10 business days written notice before adding or replacing subprocessors. You have 30 days after notice to object to changes. If you object, we'll work in good faith to resolve your concerns.
Requesting a DPA
To request a Data Processing Agreement:
- Contact us at support@reviewerzero.ai
- Provide your organization details
- We'll prepare a customized Cover Page
- Both parties sign to execute the agreement
What's Included
The DPA consists of:
- Cover Page - Customized with your organization details and any specific terms
- Standard Terms - Common Paper DPA Standard Terms Version 1.1
- Annexes - Data processing details, security measures, and subprocessor list
Legal Framework
Standard Contractual Clauses
For international transfers, we incorporate:
- EEA SCCs - European Commission's 2021 Standard Contractual Clauses
- UK Addendum - ICO's International Data Transfer Addendum
Liability
- Liability is subject to the terms of the main service agreement
- The DPA does not limit liability for individual data protection rights
- EEA SCCs and UK Addendum violations are not subject to liability caps
Contact
For DPA-related inquiries:
- Email: support@reviewerzero.ai
- Address: 13456 Via Varra Unit 305, Broomfield, Colorado 80020, USA
Related Resources
- Privacy and Security - Overview of our security practices
- Platform Features - Security features in the platform