Definitions and roles
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between Reputacion (the "Processor") and the customer (the "Controller"). It governs the processing of personal data carried out by Reputacion on behalf of the Controller under Article 28 GDPR. The terms "personal data", "processing", "data subject", "controller" and "processor" have the meaning given to them in the GDPR.
Purpose, nature and duration
Reputacion processes personal data solely to provide the Reputacion services: collecting, displaying and managing customer reviews, sending review-request campaigns by email and SMS, and related analytics. Processing lasts for the duration of the customer's subscription plus any legally required retention period.
Categories of data and data subjects
The categories of personal data processed include:
- Identification data (name, email address, phone number)
- Review content and ratings submitted by data subjects
- Campaign engagement data (opens, clicks, responses)
- Technical data (IP address, device, browser) collected by the widget and the platform
Data subjects are the Controller's customers and prospects, as well as the Controller's staff who use the platform.
Documented instructions
Reputacion processes personal data only on the Controller's documented instructions, including those set out in this DPA and the platform configuration, unless required otherwise by Union or Member State law. Reputacion informs the Controller if it considers that an instruction infringes data protection law.
Confidentiality
Reputacion ensures that persons authorised to process personal data are bound by confidentiality obligations and receive appropriate data protection training.
Security measures
Reputacion implements appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit (HTTPS/TLS), access controls, hosting with certified providers, regular backups and monitoring, to ensure a level of security appropriate to the risk.
Sub-processors
The Controller authorises Reputacion to engage the sub-processors listed below. Reputacion imposes on each of them data protection obligations equivalent to those set out in this DPA and remains liable for their performance. Reputacion will inform the Controller of any intended change of sub-processors, giving it the opportunity to object.
International transfers
Where personal data is transferred outside the EU/EEA, Reputacion ensures an adequate level of protection through appropriate safeguards under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses (SCCs).
Assistance to the controller
Taking into account the nature of the processing, Reputacion assists the Controller with appropriate measures in responding to data-subject requests (access, rectification, erasure, portability, objection) and in ensuring compliance with its obligations under Articles 32 to 36 GDPR.
Personal data breaches
Reputacion notifies the Controller without undue delay after becoming aware of a personal data breach and provides the information the Controller needs to meet its own notification obligations.
Return and deletion of data
Upon termination of the services, Reputacion will, at the Controller's choice, delete or return all personal data processed on its behalf and delete existing copies, unless Union or Member State law requires storage.
Audits and inspections
Reputacion makes available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice and confidentiality.
Contact
For any question relating to this DPA or the processing of personal data, contact our Data Protection Officer:
Email: privacy@reputacion.io
Address: Reputacion SAS, 31 rue du Chanoine Boulanger, 54220 Malzéville (Nancy), France