Feedvance Data Processing Addendum (DPA), v1.0

Last updated: 15 February 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between:
(A) Customer (Controller); and
(B) Feedvance RaBu Media Integration (Processor).
This DPA applies to the extent Feedvance processes Personal Data on behalf of Customer in connection with the Service.

1. Definitions

“Applicable Data Protection Laws” means GDPR and any applicable national implementations, plus other privacy laws applicable to the parties.
“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject” have the meanings in GDPR.

2. Roles

2.1 Customer is Controller of Product Data (invitees, respondents, feedback content) processed via the Service.
2.2 Feedvance is Processor of such Product Data and processes it only on Customer’s documented instructions.

3. Subject Matter, Duration, Nature, Purpose

See Annex A (Details of Processing).

4. Processor Obligations

Feedvance will:
4.1 Process Personal Data only on documented instructions from Customer (including as configured/used by Customer in the Service), unless required by law (and then, where permitted, inform Customer).
4.2 Ensure persons authorized to process Personal Data are bound by confidentiality.
4.3 Implement appropriate technical and organizational measures (see Annex B).
4.4 Not engage another processor (subprocessor) without meeting the requirements in Section 7.
4.5 Assist Customer, taking into account the nature of processing, with:
(a) responding to Data Subject requests;
(b) security and breach obligations;
(c) DPIAs and consultations where reasonably required and proportionate.
4.6 At Customer’s choice, delete or return Personal Data after end of provision of services, and delete existing copies unless legally required (see Section 10).

5. Customer Obligations

Customer will:
5.1 Ensure it has a lawful basis to process Product Data, including sending invitations and collecting feedback.
5.2 Provide required notices to Data Subjects (Respondents and Feedback Subjects).
5.3 Ensure it does not instruct Processor to process data unlawfully (including special category data without safeguards).
5.4 Maintain appropriate access control over Authorized Users.

6. Security

6.1 Feedvance implements measures described in Annex B.
6.2 Customer is responsible for configuring user access and for content it collects.

7. Subprocessors

7.1 Customer authorizes Feedvance to use the subprocessors listed in Annex C.
7.2 Feedvance will impose data protection obligations on subprocessors that are no less protective than this DPA.
7.3 Changes: Feedvance will provide notice of new or replacement subprocessors by email at least 30 days in advance where feasible. Customer may object on reasonable data protection grounds within 14 days; if unresolved, Customer may terminate the affected part of the Service.

8. Personal Data Breach

8.1 Feedvance will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Product Data.
8.2 Notice will include available information needed for Customer to meet its obligations, including nature of breach, categories of data impacted, mitigation steps, and contact point.

9. Audits and Information

9.1 On request, Feedvance will make available information reasonably necessary to demonstrate compliance with this DPA.
9.2 Customer audits, if any, will be:
(a) limited to once per year (unless a serious incident justifies more),
(b) conducted with reasonable notice,
(c) scoped to Product Data processing,
(d) subject to confidentiality, and
(e) at Customer’s cost.

10. Return / Deletion

10.1 During term: Customer may delete Product Data via Service features.
10.2 After termination: At Customer’s choice, Feedvance will delete or return Product Data. Unless Customer requests earlier deletion, Feedvance will delete Product Data within 90 days after termination, except to the extent retention is required by law.
10.3 Backups: residual copies may persist for up to 30 days in backups, after which they are overwritten/deleted in the normal course.

11. International Transfers

11.1 Where Product Data is transferred outside the EEA, Feedvance will ensure appropriate safeguards (e.g., SCCs or other lawful mechanisms) are in place with relevant subprocessors.
11.2 If SCCs are used, they are deemed incorporated by reference, with the annex details aligned with Annex A–C of this DPA.

12. Liability

Liability under this DPA follows the liability terms in the main agreement, subject to mandatory law.

13. Order of Precedence

If there is a conflict, this DPA governs with respect to processing of Product Data.

ANNEX A – DETAILS OF PROCESSING

A1. Subject matter: Provision of the Service (feedback invitations, collection, aggregation, reporting).
A2. Duration: For the term of the agreement + retention/deletion periods in Section 10.
A3. Nature of processing: Collection, storage, organization, structuring, retrieval, transmission (emails), aggregation, and deletion.
A4. Purpose: Enable Customer to collect structured feedback and produce aggregated insights for personal/professional development.
A5. Types of Personal Data:
- Customer users: name, email, hashed password, workspace identifiers
- Invitees/Respondents: name, email, role, optional invitation message
- Feedback content: ratings (1–5), boolean collaboration/recommendation, free-text feedback (strengths, growth opportunities, optional comment)
- Metadata/security: IP addresses, timestamps, identifiers, email delivery logs (as necessary for sending and troubleshooting)
A6. Categories of Data Subjects:
- Customer’s Authorized Users
- Feedback Subjects
- Respondents / invited participants

ANNEX B – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs) (baseline)

B1. Access control: role-based access, least privilege, admin controls.
B2. Authentication security: passwords stored hashed (e.g., Argon2/bcrypt), protected reset flows.
B3. Encryption: TLS in transit; encryption at rest where supported by hosting providers.
B4. Logging/monitoring: audit logs for key actions; monitoring for suspicious activity.
B5. Backup & recovery: regular backups; tested restore procedures.
B6. Vulnerability management: patching, dependency updates, security reviews.
B7. Incident response: documented process for triage, mitigation, and customer notification.
B8. Data minimization: invitation emails avoid including feedback content; only necessary data collected.
B9. Personnel and confidentiality: access limited to authorized staff; confidentiality commitments.

ANNEX C – APPROVED SUBPROCESSORS (Product Data)

(Controller-context providers like GA/MailerLite/Paddle are typically not needed here unless they process Product Data on Customer’s behalf.)

C1. DigitalOcean – hosting (App Platform) and database (Managed MySQL)

Purpose: store and process Product Data to operate the Service.
DPA: https://www.digitalocean.com/legal/data-processing-agreement

C2. Cloudflare – DNS/WAF/security/CDN

Purpose: protect and deliver the Service, mitigate attacks, performance.
DPA: https://www.cloudflare.com/cloudflare-customer-dpa/

C3. Mailgun (Sinch) – transactional email delivery

Purpose: send invitations, reminders, and service emails.
DPA: https://sinch.com/legal/terms-and-conditions/other-sinch-terms-conditions/data-protection-agreement/