Data Processing Agreement

Effective Date: June 1, 2026
Supplement to the ToS - Version dated June 1, 2026

0. Data Processing Agreement - Overview

This Data Processing Agreement ("DPA") forms part of the ToS and governs the processing of personal data by Provider on behalf of Customer pursuant to Art. 28 GDPR. Capitalized terms not defined here have the meaning given in the ToS.

• Provider: localoyal GmbH, Mercatorstrasse 62, 49080 Osnabrück, Germany, registered with the Local Court of Osnabrück under HRB 218235
• Contact: hello@revenipe.com
• Support Contact: support@revenipe.com
• Sub-processors: see Appendix 3 and the current sub-processor list made available by Provider at the URL or location specified in the Service, documentation or customer account area
• Technical Parameters: plans, limits, pricing, retention periods and technical specifications are set out on www.revenipe.com, in the ordering process, or in the documentation

1. Subject Matter and Duration

1.1 The subject matter of processing is the provision of the Service as a technical SaaS tool for connecting, configuring, synchronizing, monitoring and displaying metadata from Connected Applications and Third-Party Services, including monetization, entitlement, usage, credit, customer-access and billing-provider configuration data.

1.2 This DPA applies for the term of the Agreement and ends upon termination of the Agreement, except where statutory retention obligations or lawful post-termination processing apply.

2. Nature and Purpose of Processing

2.1 Nature of processing: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure and destruction of personal data.

2.2 Purpose of processing: provision of the Service, account administration, integration, configuration, synchronization, monitoring, event processing, entitlement management, usage tracking, credit-balance handling, customer-access management, support, troubleshooting, security, misuse prevention, billing metrics and compliance with Customer's documented instructions.

3. Categories of Data Subjects and Data

The categories of data subjects and personal data are described in Appendix 1. Provider does not process full payment card numbers, bank account credentials or payment instrument data on behalf of Customer unless expressly agreed in writing. Such data is generally processed by Third-Party Services such as Stripe.

4. Roles of the Parties

4.1 Customer is the controller for Customer Data processed through the Service, unless the parties expressly agree otherwise for a specific processing activity.

4.2 Provider acts as processor for Customer Data processed on Customer's behalf under this DPA.

4.3 Provider may act as independent controller for its own business operations, including account administration, billing, security logs, website analytics, marketing and support communications, as described in the Privacy Policy.

5. Customer Obligations

5.1 Customer is responsible for the lawfulness of the processing, including legal bases, transparency notices, consents, data minimization, retention instructions and the lawfulness of all instructions.

5.2 Customer shall not instruct Provider to process special categories of personal data, criminal-offense data, payment card data or other high-risk data unless expressly agreed in writing and supported by appropriate safeguards.

5.3 Customer is responsible for configuring the Service, Connected Applications and Third-Party Services in a privacy-compliant manner, including entitlement rules, usage keys, credit balances, customer-access logic and event or usage data submitted to the Service.

5.4 Customer shall ensure that its instructions are complete, accurate and technically feasible. Customer shall promptly notify Provider if Customer believes that an instruction or configuration may be unlawful or may require additional safeguards.

6. Documented Instructions

6.1 Customer's documented instructions include this DPA, the Agreement, the applicable order form or plan description, Customer's dashboard configuration, API calls, SDK calls, webhook configuration, support requests and other written instructions accepted by Provider.

6.2 Provider shall process personal data only in accordance with documented instructions from Customer, unless EU or Member State law requires otherwise. In such a case, Provider shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

6.3 If Provider reasonably believes that an instruction infringes applicable data-protection law, Provider will inform Customer without undue delay. Provider may suspend execution of the relevant instruction until Customer confirms, modifies or withdraws the instruction.

6.4 Instructions outside the agreed scope of the Service, instructions requiring material changes to the Service, or instructions requiring disproportionate effort may be subject to a separate agreement, reasonable fees or technical feasibility limitations.

7. Provider Obligations

7.1 Provider ensures that persons authorized to process personal data are bound by confidentiality obligations.

7.2 Provider implements appropriate technical and organizational measures pursuant to Art. 32 GDPR as described in Appendix 2. Provider may update the TOMs over time, provided that the overall level of protection is not materially reduced.

7.3 Provider provides reasonable assistance to Customer with data subject requests, security obligations, DPIAs and consultations with supervisory authorities, taking into account the nature of processing and information available to Provider.

7.4 Assistance included in the standard Service is provided without separate charge. Provider may charge reasonable fees for assistance not included in the plan, for requests requiring disproportionate effort, for customized reports or for audits, unless the assistance is required due to a material breach of this DPA by Provider.

7.5 Provider shall make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, protection of other customers and Provider's legitimate business interests.

8. Sub-processors

8.1 Customer grants Provider general authorization to engage sub-processors for hosting, database services, infrastructure, monitoring, support, security, communications, analytics, payment collection for Provider's own fees and similar operational services.

8.2 Provider will maintain a current list of sub-processors in Appendix 3, in the Service, in the documentation, in the customer account area, in a trust center, or otherwise upon request. The list will provide sufficient information for Customer to assess the use of sub-processors under Art. 28 GDPR, including at least the identity of the sub-processor, the relevant service category or processing purpose, and, where applicable, information on third-country transfer mechanisms. Provider is not required to disclose information that would compromise security, confidentiality, trade secrets, resilience or the protection of other customers.

8.3 Provider will impose data-protection obligations on sub-processors that are substantially equivalent to those in this DPA, to the extent applicable to the relevant processing. Provider remains responsible to Customer for the performance of sub-processors' data-protection obligations.

8.4 Provider will inform Customer of material changes to sub-processors with reasonable notice. Customer may object for good cause related to data protection within the period specified in the notice or, if no period is specified, within 14 days of the notice.

8.5 If Customer objects for good cause, the parties will seek a reasonable solution. If the objection cannot be resolved reasonably, Provider may suspend the affected functionality or terminate the Agreement to the extent the relevant sub-processor is necessary for providing the Service.

9. Third-Country Transfers and Transfer Mechanisms

9.1 Transfers of personal data to third countries take place only where a valid transfer mechanism exists, such as an adequacy decision, the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or another mechanism recognized under GDPR.

9.2 Where Standard Contractual Clauses are required for transfers from Customer to Provider, the parties agree that the relevant controller-to-processor module applies. Where Provider authorizes a sub-processor in a third country and Standard Contractual Clauses are required, Provider shall ensure that an appropriate processor-to-processor transfer mechanism is in place.

9.3 Provider will provide reasonably available information on transfer mechanisms, sub-processors, transfer regions at an appropriate level of detail and supplementary measures upon request to support Customer's transfer assessment or transfer impact assessment. Provider may provide security-sensitive infrastructure information only in summarized form or under appropriate confidentiality conditions.

9.4 Customer acknowledges that Third-Party Services configured by Customer may independently transfer data under their own terms and privacy frameworks. Customer is responsible for assessing such transfers where Customer determines the relevant data flow or selects the relevant Third-Party Service.

10. Security and Personal Data Breach Procedure

10.1 Provider maintains procedures for detecting, assessing, escalating, documenting and responding to security incidents and personal data breaches affecting Customer Data.

10.2 Provider shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data. The notification may be sent by e-mail, dashboard notice, support channel or other appropriate means.

10.3 The notification will include, to the extent reasonably available to Provider at the time: a description of the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, measures taken or proposed to address the breach, and contact information for follow-up.

10.4 Provider may provide information in stages as it becomes available. Provider shall take reasonable steps to mitigate the effects of the breach and to assist Customer with Customer's notification obligations, taking into account the nature of processing and information available to Provider.

10.5 Customer is responsible for notifying supervisory authorities and data subjects where required by law, unless the parties expressly agree otherwise in writing.

11. Audits and Evidence

11.1 Provider will make suitable evidence of compliance available upon request, such as security documentation, certificates, audit reports, penetration-test summaries, sub-processor information or TOM descriptions, to the extent available and subject to confidentiality.

11.2 Customer shall first use available documentation, certifications, reports and written responses to verify compliance. On-site audits are permitted only where legally required or where available documentation is insufficient to demonstrate compliance.

11.3 Audits must be requested with at least 30 days' prior written notice, occur during normal business hours, be limited to relevant processing activities, not compromise security or other customers' confidentiality, and be conducted by an independent auditor bound by confidentiality. Unless required due to a personal data breach or material non-compliance, audits may not occur more than once per calendar year.

11.4 Audits may not include access to Provider's source code, trade secrets, detailed security architecture, vulnerability details that would create security risks, data of other customers, or systems not relevant to Customer Data. Provider may provide reasonable alternatives such as screenshots, summaries, interviews, attestations or third-party reports.

11.5 Customer bears its own audit costs and reimburses Provider for reasonable support costs unless the audit reveals a material breach of this DPA by Provider.

12. Deletion and Return

12.1 Upon termination, Provider will delete or return Customer Data at Customer's choice to the extent technically possible and unless statutory retention obligations require further retention.

12.2 Customer may request export or return of Customer Data during the term and for 30 days after termination, where export functionality is available and technically feasible. Provider may provide exports in a commonly used electronic format or through available dashboard/API functionality.

12.3 If Customer does not request return within 30 days after termination, Provider may delete active Customer Data after expiry of that period, unless a different retention period is specified in the applicable plan, documentation or order form.

12.4 Backup copies may remain for up to 90 days after deletion from active systems until overwritten or deleted in accordance with Provider's backup lifecycle, unless a longer period is required for security, legal, operational or compliance reasons.

12.5 Provider may retain data to the extent required for legal claims, statutory retention, security evidence, accounting or compliance, provided that the retained data remains protected and is not processed for other purposes.

Appendix 1 - Description of Processing

Item	Description
Data subjects	End Users of the Connected Application; Authorized Users; Customer employees, contractors or representatives; support contacts.
Data categories	Account data, such as name, e-mail, role, authentication data and password hashes; customer and end-user identifiers; usage data, events, identifiers, statuses, timestamps and metrics; entitlement states; usage keys; consumption events; plan, trial and subscription status; purchase/session metadata; webhook payload metadata; Stripe Configuration Data; RevenueCat-related metadata if and when supported; log data, IP address, user agent and error logs; support communications.
Excluded data	Full payment card numbers, bank account credentials, payment instrument data and other payment data processed directly by Third-Party Services, unless expressly agreed otherwise.
Processing operations	Receiving and forwarding events; webhook processing; synchronization; normalization and mapping of metadata; dashboard display; API and SDK processing; entitlement and access-rule evaluation; usage tracking; credit-balance calculation and consumption; billing metrics; support; troubleshooting; security and misuse prevention.
Purposes	Provision of the Service, integration, configuration, monitoring, entitlement management, customer-access management, usage tracking, support, troubleshooting, security, misuse prevention and Customer instructions.
Retention	As configured by Customer or defined in the applicable plan, documentation or DPA; active Customer Data generally deleted or returned after termination as described in Section 12; logs typically retained for limited periods unless security, legal or operational needs require longer retention.

Appendix 2 - Technical and Organizational Measures

Measure	Status	Description
Access control	Implemented	User authentication, role-based permissions where available, least-privilege access, administrative-access logging, secure credential management.
Infrastructure control	Implemented / where applicable	Hosting in professionally operated data centers or cloud environments; network segmentation, firewalls, security groups and environment separation. Sub-processor and regional information is provided at an appropriate level of detail in Appendix 3 or the current sub-processor list, subject to security and confidentiality limitations.
Transfer control	Implemented / where applicable	TLS encryption in transit; webhook signing or verification where implemented; secure API authentication.
Storage control	Implemented / where supported	Encryption at rest where supported and configured by the relevant hosting or database provider; secrets management through KMS/Secret Manager or equivalent; backup and restore processes.
Input control	Implemented / where available	Audit logs for critical administrative actions such as API-key rotation, connected-account changes and user management where available.
Availability control	Implemented / plan-dependent	Monitoring, alerting, redundancy appropriate to the plan, incident response and regular updates/patching. Specific RTO/RPO commitments apply only if expressly agreed.
Separation	Implemented / where applicable	Logical or technical tenant isolation; separate development, staging and production environments where applicable.
Privacy by design	Implemented / ongoing	Data minimization, limited log retention where feasible, pseudonymization where possible, restrictive default configurations where appropriate.
Incident handling	Implemented	Procedures for detecting, assessing, escalating, documenting and responding to security incidents and personal data breaches.
Sub-processor management	Implemented / to be completed before production launch	Contractual data-protection obligations for sub-processors, documented sub-processor information or list, change-notice procedure and transfer-mechanism tracking. Security-sensitive infrastructure details may be provided only in summarized form or under appropriate confidentiality conditions.
Security testing	Planned / where applicable	Security reviews, vulnerability management, dependency updates and penetration-test summaries or equivalent evidence where available.

Appendix 3 - Sub-processor List

Provider uses sub-processors for certain operational, infrastructure, support, security, communication, billing and integration-related services. Customer grants Provider a general authorization to engage sub-processors in accordance with Section 8 of this DPA.

Provider maintains the current sub-processor list in the Service, documentation, customer account area, trust center, or makes it available upon request. The current list will identify the relevant sub-processors and provide sufficient information for Customer to assess the use of sub-processors under Art. 28 GDPR, including the relevant service category or processing purpose and, where applicable, information on third-country transfer mechanisms.

For security and confidentiality reasons, Provider may provide some technical details, infrastructure details, internal security information, detailed hosting architecture, detailed monitoring/logging architecture, or other sensitive operational information only under appropriate confidentiality conditions or in summarized form. Provider is not required to disclose information that would compromise security, resilience, trade secrets, contractual confidentiality obligations or the protection of other customers.

Current service categories may include:

• cloud hosting and infrastructure;
• managed database services;
• monitoring, logging, diagnostics and incident response;
• customer support and communication tools;
• transactional e-mail and notification services;
• payment collection for Provider's own fees;
• billing-provider integrations configured by Customer;
• analytics and consent-management tools, where used.

Provider will inform Customer of intended additions or replacements of sub-processors in accordance with Section 8.4. Customer may object for good cause related to data protection within the applicable objection period.

Stripe, RevenueCat or similar billing providers may be Customer-configured Third-Party Services rather than Provider sub-processors, depending on the relevant data flow, account relationship and processing role. Where such providers process personal data under Customer's own account or independent terms, Customer remains responsible for assessing the relevant data flow and transfer mechanisms in accordance with the Agreement.