Last updated: 18 June 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the merchant ("Controller") and Kremer Software, operating Revence ("Processor"). It governs the processing of personal data that the Processor carries out on behalf of the Controller, in accordance with Article 28 of the General Data Protection Regulation (GDPR).
1. Roles of the parties
The merchant is the data controller: they determine the purpose and means of processing their customers' personal data. Revence (Kremer Software) acts solely as the data processor and processes personal data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service.
2. Subject matter, nature and purpose
The Processor processes personal data exclusively to detect failed subscription payments and send branded recovery messages (WhatsApp and/or email) with a payment link to the Controller's customers, and to provide the related dashboard and reporting. Processing lasts for the duration of the Controller's use of the service.
3. Categories of data and data subjects
Data subjects: the Controller's end customers. Personal data processed: • Name of the customer • Email address • Phone number (for WhatsApp messages) • Payment metadata (amount, currency, failed invoice/payment ID, recovery status) No special categories of personal data (Article 9 GDPR) are processed.
4. Obligations of the Processor
The Processor shall: • Process personal data only on the documented instructions of the Controller; • Ensure that persons authorised to process the data are bound by confidentiality; • Implement appropriate technical and organisational security measures (Article 32 GDPR), including encryption in transit, access control and isolation of merchant data (row-level security); • Assist the Controller in responding to data-subject requests (access, rectification, erasure); • Notify the Controller without undue delay after becoming aware of a personal data breach; • On termination, delete or return all personal data, save where storage is required by law.
5. Sub-processors
The Controller grants general authorisation for the Processor to engage the following sub-processors. The Processor remains fully liable for their performance. • Supabase Inc. — database and authentication hosting (EU region) • Stripe Payments Europe Ltd. — payment processing (Stripe merchants) • Mollie B.V. — payment processing (Mollie merchants) • Resend (Plus Five Five, Inc.) — transactional email delivery • Meta Platforms Ireland Ltd. — WhatsApp Business messaging The Processor will inform the Controller of any intended change of sub-processors, giving the Controller the opportunity to object.
6. International transfers
Personal data is processed within the European Economic Area where possible. Where a sub-processor processes data outside the EEA, the transfer is covered by an adequacy decision or the European Commission's Standard Contractual Clauses.
7. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, with reasonable prior notice.
8. Duration and acceptance
This DPA takes effect upon the Controller's acceptance during onboarding and remains in force for as long as the Processor processes personal data on behalf of the Controller. Acceptance is recorded with a timestamp and IP address as evidence of agreement.
9. Contact
For questions about this DPA, email contact@revence.app.