DATA PROCESSING ADDENDUM (DPA)

Last Updated: February 2026

A wave pattern that splits two sections

This Data Processing Addendum ("Addendum") forms part of the Terms of Service or other agreement between DNA SAAS LABS, LLC (t/a Rate My Service) ("Processor") and the entity agreeing to these terms ("Client" or "Controller") (together, the "Parties").

  1. DEFINITIONS
    1. "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU GDPR, the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
    2. "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Client.
    3. "Sub-processor" means any third party appointed by Processor to process Personal Data.
  2. SCOPE AND ROLE OF PARTIES
    1. Roles: Client is the Controller and RateMyService is the Processor. In a white-label context, Client remains the Controller regarding its own customers' data.
    2. Instructions: Processor shall process Personal Data only on written instructions from Client, including for the purpose of providing feedback collection and rating services.
  3. DATA PROTECTION OBLIGATIONS
    1. Confidentiality: Processor ensures that personnel authorized to process Personal Data have committed themselves to confidentiality.
    2. Security: Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those listed in Annex II.
    3. Data Subject Rights: Processor shall, insofar as is possible, assist Client in fulfilling its obligations to respond to requests from individuals exercising their rights (e.g., access, deletion, or portability).
  4. SUB-PROCESSORS
    1. Authorization: Client grants a general authorization to Processor to engage Sub-processors. Processor's current Sub-processors are listed in Annex III.
    2. Notification: Processor shall notify Client of any intended changes concerning the addition or replacement of Sub-processors via its website or email, giving Client the opportunity to object.
    3. Liability: Processor remains fully liable for the performance of the Sub-processor's obligations.
  5. INTERNATIONAL TRANSFERS
    1. Mechanisms: If Processor transfers Personal Data from the EEA or UK to a country not recognized as providing an adequate level of protection (such as the United States), the Parties agree that the EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum are hereby incorporated by reference to provide a valid transfer mechanism.
  6. BREACH NOTIFICATION
    1. Processor shall notify Client without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach. Processor will provide sufficient information to allow Client to meet its own notification obligations.
  7. AUDIT RIGHTS
    1. Processor shall make available to Client information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits or inspections conducted by Client or an independent auditor.
  8. DELETION OR RETURN OF DATA
    1. Upon termination of the Services, Processor shall, at the choice of Client, delete or return all Personal Data, unless applicable law requires continued storage.
  9. CALIFORNIA SPECIFIC TERMS (CCPA/CPRA)
    1. Processor shall not:
      1. sell Personal Data;
      2. retain, use, or disclose Personal Data for any purpose other than the specific business purpose of providing the Services.

      Processor certifies that it understands these restrictions.

ANNEX I: DETAILS OF PROCESSING

  1. Subject Matter: The provision of feedback collection, rating software, and dashboard management services.
  2. Duration: The term of the Agreement plus the period until all data is deleted.
  3. Nature and Purpose: Processing to enable Client to collect, store, and analyze feedback from their own customers via email signatures and web interfaces.
  4. Categories of Data Subjects:
    • Client's customers
    • Client's employees/staff members
  5. Categories of Personal Data:
    • Names and Email addresses
    • Customer feedback/comments and ratings
    • Technical data (IP addresses, device type, browser info)
    • Profile photos (if synced via Google/Microsoft OAuth)

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

Processor maintains the following security measures:

ANNEX III: APPROVED SUB-PROCESSORS

Client approves the use of the following Sub-processors:

Sub-processor Purpose Location
Google Cloud/APIs Authentication & Data Import USA/Global
Microsoft Azure Authentication & Data Import USA/Global
Stripe Payment Processing USA
Mandrill/Mailchimp Email Delivery USA
Outscraper Review Aggregation Global
Tawk.to Customer Support Chat USA