Data Processing Agreement
Last updated: December 28, 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between AppReviewSuite ("Processor") and the Customer ("Controller") and governs the processing of personal data.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the Customer).
- "Processor" means the entity that processes Personal Data on behalf of the Controller (AppReviewSuite).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Protection Laws" means GDPR, CCPA, and any other applicable data protection legislation.
2. Scope of Processing
2.1 Subject Matter
The Processor will process Personal Data on behalf of the Controller for the purpose of providing the AppReviewSuite service, including:
- Aggregating and storing app reviews from connected app stores
- Analyzing review content using AI for sentiment, topics, and insights
- Generating AI-powered reply suggestions
- Posting replies to app stores on behalf of the Controller
- Providing analytics and reporting
2.2 Types of Personal Data
- Reviewer names and identifiers (from app store reviews)
- Review content and ratings
- Controller employee names and email addresses
- Usage data and analytics
2.3 Categories of Data Subjects
- App users who submit reviews
- Controller's employees and authorized users
2.4 Duration
Processing will continue for the duration of the service agreement, plus any retention period required by law or for legitimate business purposes (not exceeding 90 days after termination).
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
- Delete or return Personal Data upon termination of the service agreement
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller or its representative
4. Sub-processors
4.1 Authorization
The Controller hereby provides general authorization for the Processor to engage Sub-processors, subject to the conditions in this section.
4.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| OpenAI | AI processing for analysis and reply generation | United States |
| Amazon Web Services | Cloud infrastructure and hosting | Various (configurable) |
| Razorpay | Payment processing | India |
| Resend | Email delivery | United States |
4.3 Changes to Sub-processors
The Processor will provide at least 30 days notice before adding or replacing Sub-processors. The Controller may object to such changes within 14 days. If no resolution is reached, the Controller may terminate the affected services.
5. International Transfers
Personal Data may be transferred outside the European Economic Area (EEA). Such transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Other appropriate safeguards as required by applicable law
6. Security Measures
The Processor implements and maintains appropriate technical and organizational measures, including:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Access controls and authentication measures
- Regular security assessments and penetration testing
- Employee security training and confidentiality obligations
- Incident response and business continuity procedures
Detailed security measures are described in our Data Security Policy.
7. Data Breach Notification
In the event of a Personal Data breach, the Processor will:
- Notify the Controller without undue delay (within 48 hours of becoming aware)
- Provide information about the nature of the breach, categories of data affected, and likely consequences
- Take immediate steps to mitigate the breach and prevent recurrence
- Assist the Controller in meeting its breach notification obligations
8. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests, including requests for access, rectification, erasure, data portability, and objection to processing. The Controller remains responsible for responding to Data Subjects.
9. Audits
The Controller or its designated auditor may conduct audits to verify compliance with this DPA, subject to reasonable notice and confidentiality obligations. The Processor will make available relevant documentation and cooperate with audit activities.
10. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will, at the Controller's choice, delete or return all Personal Data within 30 days, except where retention is required by law.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the main service agreement. The Processor is liable for damages caused by processing that does not comply with Data Protection Laws or this DPA.
12. Contact
For questions about this DPA or to exercise rights under it, please contact our Data Protection Officer at: dpo@appreviewsuite.com
Need a Signed DPA?
Enterprise customers can request a countersigned copy of this DPA for their records.
Contact our team to request a signed DPA