This Data Processing Agreement (the “DPA”) supplements the Terms of Service and Master Services Agreement between Reva.ai LLC, a New Jersey limited liability company doing business as “R.ai” (“R.ai,” “we,” “us,” the “Service Provider”), and the Customer identified in the Master Services Agreement (the “Customer”). It governs R.ai's processing of personal data on the Customer's behalf and is incorporated into the Agreement by reference.
1.1 Capitalised terms not defined here have the meanings given to them in the Master Services Agreement, the Terms of Service, or the Privacy Policy.
1.2 For the purposes of this DPA:
2.1 With respect to Caller Personal Data processed in connection with the Service, the Customer is the “business,” “controller,” or analogous role-holder, and R.ai is the “service provider,” “contractor,” or “processor.” R.ai will process Caller Personal Data only on the documented instructions of the Customer, which include the Master Services Agreement, the Terms of Service, the Privacy Policy, the Customer's Dashboard configurations, and this DPA.
2.2 With respect to Customer account data (business contact information, billing information, configurations, and Dashboard activity logs), R.ai acts as a controller in its own right. Such data is governed by the Privacy Policy and is outside the scope of this DPA.
2.3 R.ai does not sell or share Personal Data for cross-context behavioural advertising and is contractually prohibited under this DPA from doing so. R.ai will not use Personal Data for any purpose other than (a) providing the Service to the Customer; (b) generating aggregated and de-identified datasets that cannot reasonably be linked back to a Data Subject (as described in Section 12); and (c) complying with applicable law.
3.1 Subject matter.R.ai processes Personal Data to operate the R.ai AI voice-agent service on the Customer's behalf — receiving inbound calls, taking orders, transferring complex calls to a designated back-line, surfacing call data in the Customer Dashboard, and delivering related analytics.
3.2 Duration. Processing continues for the term of the Agreement and for a wind-down window of up to ninety (90) days after termination, during which the Customer may export its data. Anonymised and aggregated datasets that cannot reasonably be linked to a Data Subject may be retained indefinitely as set forth in Section 12.
3.3 Nature of the processing. Collection, recording, storage, retrieval, organisation, structuring, transcription, natural-language understanding, analytics, transfer to Sub-processors listed in Section 6, retention, deletion, and any related activity necessary to deliver the Service.
3.4 Purpose of the processing.Operating the Service; improving the quality of the Service (including training and tuning of proprietary models on aggregated, de-identified data); detecting and preventing fraud and abuse; complying with legal obligations; and enforcing R.ai's rights under the Agreement.
4.1 Categories of Data Subjects.
4.2 Types of Personal Data.
4.3 R.ai does not knowingly collect Personal Data from natural persons under the age of thirteen (13). If R.ai becomes aware that Personal Data from a child under 13 has been processed, R.ai will delete it promptly and notify the Customer.
R.ai will:
The Customer will:
6.1 The Customer authorises R.ai to engage the Sub-processors listed at joinrai.com/subprocessors (the “Sub-processor List”). R.ai will maintain the Sub-processor List as a current and complete list of all Sub-processors that process Personal Data in connection with the Service.
6.2 R.ai will give the Customer at least thirty (30) days' prior notice before adding a Sub-processor that will process Personal Data, via email to the Customer's notice address and by updating the Sub-processor List. The Customer may object in writing to such addition within fifteen (15) business days on reasonable grounds relating to the protection of Personal Data; the parties will then confer in good faith to resolve the objection, and if unresolved the Customer may terminate the affected portion of the Service for convenience, without penalty, on thirty (30) days' notice.
6.3 R.ai will enter into a written agreement with each Sub-processor that imposes data-protection obligations substantially equivalent to those set out in this DPA. R.ai remains liable to the Customer for each Sub-processor's compliance with such obligations.
7.1 In version 1 of the Service, R.ai stores and processes Personal Data exclusively within the United States. The Service is not offered in the European Economic Area, the United Kingdom, or Switzerland in version 1, and no cross-border transfers of Personal Data take place in the ordinary course of operating the Service.
7.2 If and when R.ai launches the Service in a jurisdiction subject to the GDPR or UK GDPR, the Standard Contractual Clauses are hereby incorporated into this DPA by reference and will govern any transfer of Personal Data from such jurisdiction to R.ai or a Sub-processor in the United States. R.ai will complete the relevant Module of the Standard Contractual Clauses (Module 2 — Controller to Processor) and will execute any additional transfer-impact assessment required by the originating regulator.
8.1 R.ai maintains the following technical and organisational measures:
8.2 The list above is a current snapshot. R.ai may update these measures provided that the updates do not materially reduce the overall level of security.
9.1 R.ai will notify the Customer of a Security Incident affecting Personal Data without undue delay after becoming aware of the Security Incident, and in any event within seventy-two (72) hours. Initial notification will be sent to the Customer's designated notice address and may be supplemented by further information as the investigation progresses.
9.2 R.ai's notification will, to the extent reasonably available at the time, describe:
9.3 Notification of a Security Incident is not an acknowledgment by R.ai of fault or liability with respect to the Security Incident.
9.4 R.ai will reasonably cooperate with the Customer's investigation and remediation efforts and with any notification the Customer is required to make to a Data Subject, supervisory authority, or other governmental body. Costs of such cooperation, beyond what is reasonably necessary to discharge R.ai's own legal obligations, are borne by the Customer.
10.1 Upon the Customer's reasonable written request, and not more than once per twelve (12) month period (except where required by Applicable Privacy Laws or following a Security Incident), R.ai will make available to the Customer the most recent SOC 2 Type II, ISO 27001, or equivalent third-party audit report covering R.ai or its Sub-processors, where available. Until such reports are available, R.ai will respond to a reasonable written questionnaire within thirty (30) days.
10.2 If the information made available under Section 10.1 does not provide sufficient information for the Customer to verify R.ai's compliance with this DPA, the Customer may, on at least thirty (30) days' prior written notice, conduct an on-site audit of R.ai's facilities and processes during normal business hours. Such audit will be subject to reasonable confidentiality and security controls and will not unreasonably disrupt R.ai's operations.
10.3 Where the audit is conducted by a third party on the Customer's behalf, the third party must not be a competitor of R.ai and must execute a non-disclosure agreement on terms no less protective than those between R.ai and the Customer.
11.1 On termination of the Agreement (for any reason), R.ai will, at the Customer's written election, return or delete all Personal Data within ninety (90) days after termination, except to the extent that retention is required by applicable law or for the establishment, exercise, or defence of legal claims.
11.2 The Customer may export Personal Data in machine-readable form during the ninety-day wind-down window through the Dashboard or by written request. R.ai will provide the export in CSV format (orders and caller phonebook), MP3 files (recordings excluding payment portions), and JSON files (transcripts).
11.3 At the end of the wind-down window, R.ai will delete all Personal Data from production systems and from routine backup rotations. Personal Data residing in encrypted disaster-recovery snapshots will be retained for the remaining life of the snapshot cycle (not exceeding thirty (30) days) and then expire automatically.
11.4 Anonymised and aggregated datasets that cannot reasonably be linked to a Data Subject are not Personal Data and may be retained indefinitely as described in Section 12.
12.1 The Customer acknowledges that R.ai derives aggregated and de-identified datasets from Personal Data processed in connection with the Service, such as call-volume statistics, intent distributions, anonymised transcripts with caller identifiers stripped, and benchmark metrics across the R.ai customer base.
12.2 R.ai will not re-identify, or attempt to re-identify, any aggregated or de-identified dataset, and will require its Sub-processors and any recipients of such datasets to maintain equivalent commitments.
12.3 Aggregated and de-identified data may be retained, used, and disclosed (including to third parties) without restriction, subject to the obligations of this Section 12 and any applicable law.
13.1 R.ai will assist the Customer in responding to requests from Data Subjects exercising their rights under Applicable Privacy Laws, including rights to access, correct, delete, or port their Personal Data, and the right to opt out of the “sale” or “sharing” of their Personal Data.
13.2 If R.ai receives a Data-Subject request that on its face concerns Personal Data processed on behalf of the Customer, R.ai will, unless prohibited by law, forward the request to the Customer within ten (10) business days and will not respond to the Data Subject directly except to acknowledge receipt and refer the Data Subject to the Customer.
13.3 Where R.ai is required by Applicable Privacy Laws to respond directly (for example, to an authenticated CCPA “Right to Know” request submitted through R.ai's designated channel in respect of Customer-account-holder data), R.ai will respond within the timelines required by law.
13.4 The Customer remains responsible for the substance of the response to Data-Subject requests in respect of Caller Personal Data. R.ai will not modify, delete, or export Caller Personal Data in response to a Data-Subject request without the Customer's written instruction, except as required by law.
14.1 Each party's liability arising out of or in connection with this DPA is subject to, and forms part of, the aggregate limitation of liability set forth in the Master Services Agreement. Nothing in this DPA increases either party's aggregate liability beyond the cap stated in the Master Services Agreement.
14.2 The indemnities, allocations of risk, and disclaimers set forth in the Master Services Agreement and Terms of Service apply to this DPA in full.
15.1 In the event of conflict between this DPA and the Master Services Agreement, this DPA controls solely to the extent of the conflict and solely with respect to the parties' data-protection obligations.
15.2 This DPA takes effect on the effective date set forth above and remains in force for as long as R.ai processes Personal Data on behalf of the Customer. Sections 9, 10, 11, 12, and 14 survive termination.
15.3 R.ai may amend this DPA from time to time on at least thirty (30) days' prior notice posted to joinrai.com/dpaand emailed to the Customer's notice address. If the Customer objects to a material amendment, the Customer may terminate the Service for convenience without penalty on thirty (30) days' notice.
15.4 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.
15.5 This DPA is governed by the laws of the State of New Jersey, without regard to its conflict-of-laws principles, and the parties submit to the dispute-resolution mechanism set forth in the Master Services Agreement.
For data-protection inquiries, exercise of rights, or Security-Incident notifications, contact ezra@joinrai.com or eitan@joinrai.com, or write to Reva.ai LLC, 459 Warwick Avenue, Teaneck, New Jersey 07666.
This DPA is a template provided for execution alongside the Master Services Agreement. The parties may execute a counter-signed, Customer-specific DPA on substantially equivalent terms on request.