RRevence

Last updated: 18 June 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the merchant ("Controller") and Kremer Software, operating Revence ("Processor"). It governs the processing of personal data that the Processor carries out on behalf of the Controller, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

1. Roles of the parties

The merchant is the data controller: they determine the purpose and means of processing their customers' personal data. Revence (Kremer Software) acts solely as the data processor and processes personal data only on the documented instructions of the Controller, as set out in this DPA and the Terms of Service.

2. Subject matter, nature and purpose

The Processor processes personal data exclusively to detect failed subscription payments and send branded recovery messages (WhatsApp and/or email) with a payment link to the Controller's customers, and to provide the related dashboard and reporting. Processing lasts for the duration of the Controller's use of the service.

3. Categories of data and data subjects

Data subjects: the Controller's end customers. Personal data processed: • Name of the customer • Email address • Phone number (for WhatsApp messages) • Payment metadata (amount, currency, failed invoice/payment ID, recovery status) No special categories of personal data (Article 9 GDPR) are processed.

4. Obligations of the Processor

The Processor shall: • Process personal data only on the documented instructions of the Controller; • Ensure that persons authorised to process the data are bound by confidentiality; • Implement appropriate technical and organisational security measures (Article 32 GDPR), including encryption in transit, access control and isolation of merchant data (row-level security); • Assist the Controller in responding to data-subject requests (access, rectification, erasure); • Notify the Controller without undue delay after becoming aware of a personal data breach; • On termination, delete or return all personal data, save where storage is required by law.

5. Sub-processors

The Controller grants general authorisation for the Processor to engage the following sub-processors. The Processor remains fully liable for their performance. • Supabase Inc. — database and authentication hosting (EU region) • Stripe Payments Europe Ltd. — payment processing (Stripe merchants) • Mollie B.V. — payment processing (Mollie merchants) • Resend (Plus Five Five, Inc.) — transactional email delivery • Meta Platforms Ireland Ltd. — WhatsApp Business messaging The Processor will inform the Controller of any intended change of sub-processors, giving the Controller the opportunity to object.

6. International transfers

Personal data is processed within the European Economic Area where possible. Where a sub-processor processes data outside the EEA, the transfer is covered by an adequacy decision or the European Commission's Standard Contractual Clauses.

7. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, with reasonable prior notice.

8. Duration and acceptance

This DPA takes effect upon the Controller's acceptance during onboarding and remains in force for as long as the Processor processes personal data on behalf of the Controller. Acceptance is recorded with a timestamp and IP address as evidence of agreement.

9. Contact

For questions about this DPA, email contact@revence.app.