Data Processing Addendum
This Data Processing Addendum (DPA) supplements the Terms of Service. It describes the roles and obligations of the parties when Secrevo processes personal data on behalf of a Customer. If your team is in the EU/UK or otherwise under GDPR, this is the document you'll want signed alongside any order form.
1. Roles
For personal data of your Members, Agents and end users that you place in your Workspace, you act as the controller and Secrevo acts as the processor. For account/billing data of the Customer's own representatives (the people who sign up and pay), Secrevo is an independent controller; that processing is described in our Privacy Policy.
2. Subject matter, duration and nature of processing
- Subject matter: hosting, transmitting, encrypting, and access-controlling secret values and the metadata necessary to manage them.
- Duration: for the term of the active subscription, plus the deletion windows described in the Terms.
- Nature and purpose: providing the Service as documented at
secrevo.com. - Categories of data subjects: Customer's employees, contractors, and any other natural persons that the Customer chooses to register as Members or whose identifiers appear in audit events.
- Categories of personal data: name, work email, role, sign-in identifier, IP address, audit metadata.
- Special-category data: none. Customers must not place special-category personal data in Secrevo.
3. Customer instructions
Secrevo will only process personal data per the Customer's documented instructions, which the Customer expresses by configuring its Workspace and by accepting these documents. We will inform the Customer if, in our opinion, an instruction infringes applicable data-protection law.
4. Confidentiality
Personnel authorized to access personal data are bound by confidentiality obligations and access only what they need to perform their tasks. Operational access leaves an audit footprint that the Customer can read in its own audit log.
5. Security measures
See the Security overview for the technical and organizational measures we apply. The list there is the appendix to this DPA. We will not materially weaken these controls without notifying the Customer.
6. Sub-processors
The current sub-processors are listed in the Privacy Policy (section 4). We will give the Customer at least 30 days' prior notice before adding or replacing a sub-processor that processes personal data of EU/UK data subjects. The Customer may object on reasonable data-protection grounds; if we cannot accommodate the objection, the Customer may terminate the affected portion of the Service and receive a pro-rata refund of pre-paid fees.
7. International transfers
Production data is processed in the United States (AWS us-east-1). Where personal data of EU/UK data subjects is transferred, the Standard Contractual Clauses (controller-to-processor, 2021/914 module two) and the UK Addendum (where relevant) apply by reference, with the Customer as data exporter and Secrevo as data importer. EU residency is available on enterprise plans on request.
8. Data subject requests
Most data-subject rights (access, correction, deletion of audit-visible activity) can be exercised by the Customer directly through the dashboard. Where the Customer needs Secrevo's assistance to respond to a request from a data subject, we will provide reasonable cooperation, charged at cost only for materially burdensome requests.
9. Personal data breach notification
Secrevo will notify the Customer's billing contact without undue delay (and within 72 hours of confirmation where the breach concerns personal data of EU/UK data subjects) after becoming aware of a personal data breach affecting the Customer's data. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.
10. Audit rights
The Customer may, at its own expense and once per twelve-month period (or after a confirmed breach), conduct an audit of Secrevo's compliance with this DPA. We will respond to a reasonable written audit questionnaire and, on request, provide summaries of any independent assessments we have undergone. On-site audits are reserved for enterprise customers with a signed master agreement.
11. Deletion or return on termination
On termination of the Service the Customer may export its data through the dashboard or by written request. Secrevo will then delete the data per the timelines in the Terms. We will provide written confirmation of deletion on request.
12. Conflicts
If anything in this DPA conflicts with the Terms of Service, this DPA controls with respect to processing of personal data on behalf of the Customer.
Questions about this document — or a request for a signed copy — go to legal@secrevo.com. Security disclosures: security@secrevo.com.