Data Processing Addendum

Last Updated: April 30, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between RevenArc LLC (“RevenArc”) and the customer identified in the applicable Order Form, subscription confirmation, master services agreement, statement of work, or other written agreement that incorporates this DPA (“Customer”). This DPA applies when RevenArc processes Customer Personal Data on behalf of Customer in connection with the Services.

If Customer and RevenArc have signed a separate data processing agreement, the signed agreement controls to the extent it conflicts with this DPA.

1. Definitions

“Agreement” means the written or electronic agreement governing Customer’s use of the Services, including any Order Form, Terms & Conditions, statement of work, or subscription confirmation.

“Applicable Data Protection Laws” means all privacy, data protection, data security, and breach notification laws applicable to the processing of Customer Personal Data under the Agreement, including where applicable the CCPA, other U.S. state privacy laws, the GDPR, the UK GDPR, and laws implementing or supplementing them.

“CCPA” means the California Consumer Privacy Act, as amended, and its implementing regulations.

“Customer Personal Data” means personal information, personal data, or similar regulated information contained in Customer Data that RevenArc processes on behalf of Customer under the Agreement.

“Data Subject” means an identified or identifiable person to whom Customer Personal Data relates, including California consumers where applicable.

“GDPR” means Regulation (EU) 2016/679, and “UK GDPR” means the retained UK version of Regulation (EU) 2016/679 as amended by UK law.

“Personal Data Breach” or “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by RevenArc. Failed attempts, pings, scans, unsuccessful login attempts, and similar events that do not compromise Customer Personal Data are not Security Incidents.

“Services” means the RevenArc products and services described in the Agreement, including revenue intelligence, analytics, dashboards, AI-generated reports and coaching briefs, Academy, integrations, support, and related services.

“Subprocessor” means a third party engaged by RevenArc to process Customer Personal Data on behalf of Customer.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

2. Roles of the Parties

As between Customer and RevenArc:

• Customer is the controller, business, or equivalent entity that determines the purposes and means of processing Customer Personal Data.
• RevenArc is the processor, service provider, contractor, or equivalent entity that processes Customer Personal Data on Customer’s behalf and in accordance with Customer’s documented instructions.

For personal information that RevenArc processes independently for its own business purposes, such as account administration, billing, security, legal compliance, product improvement using aggregated or de-identified data, or direct marketing to business contacts, RevenArc may act as an independent controller or business, and the RevenArc Privacy Policy applies.

3. Scope and Instructions

RevenArc will process Customer Personal Data only to provide, secure, maintain, support, improve, and operate the Services; to process Customer’s documented instructions; to comply with law; and as otherwise permitted by the Agreement and this DPA. Customer’s instructions include the Agreement, Order Form, configuration settings, integration choices, product permissions, support requests, and other written instructions.

Customer acknowledges that the Services may process Customer Personal Data through revenue intelligence, analytics, role-scoped dashboards, AI Features, Academy, reports, staff enablement, and customer-directed integrations with PMS, POS, CRM, reservation, spa, learning, payment, and related systems.

3.1 AI Processing Providers and Outputs

RevenArc may use third-party AI service providers, including OpenAI, to generate summaries, recommendations, coaching briefs, reports, chatbot responses, training assignments, and other Outputs. RevenArc will send only the Customer Personal Data reasonably necessary for the configured AI Feature, subject to Customer’s configuration and instructions. Prompts, retrieved context, Outputs, and related metadata may contain Customer Personal Data depending on Customer’s configuration and use of the Services.

Unless otherwise stated in an Order Form or this DPA, RevenArc will not intentionally use identifiable Customer Personal Data to train general-purpose AI models made available to other customers. Customer remains responsible for configuring integrations, prompt inputs, user roles, and permissions to limit unnecessary or prohibited data.

4. Customer Obligations

Customer is responsible for:

• providing all legally required notices and obtaining all legally required consents, permissions, authorizations, and legal bases for processing Customer Personal Data;
• ensuring that Customer Personal Data is accurate, lawful, and limited to what is reasonably necessary for the Services;
• configuring integrations to prevent prohibited or unnecessary data from being sent to RevenArc;
• responding to Data Subject requests where Customer is the controller or business;
• complying with employment, privacy, consumer protection, anti-discrimination, automated decision-making, hospitality, payment, and other applicable laws;
• ensuring that Customer does not use RevenArc Outputs as the sole basis for legally significant decisions about individuals without appropriate human review, notices, and legal compliance measures.

Customer must not submit prohibited data to the Services unless RevenArc has expressly agreed in writing.

5. RevenArc Processing Obligations

RevenArc will:

• process Customer Personal Data only according to Customer’s documented instructions;
• ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
• implement appropriate technical and organizational measures designed to protect Customer Personal Data;
• assist Customer, taking into account the nature of the processing and information available to RevenArc, with Data Subject requests and compliance obligations as described in this DPA;
• notify Customer if RevenArc determines it can no longer meet its obligations under Applicable Data Protection Laws;
• not sell or share Customer Personal Data as those terms are defined by the CCPA;
• not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by the Agreement, this DPA, Customer’s instructions, or applicable law.

6. Confidentiality

RevenArc will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

7. Security Measures

RevenArc will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, disclosure, or access. These measures include the controls described in Appendix B, taking into account the nature, scope, context, and purposes of processing and the risk to individuals.

Customer acknowledges that security measures may evolve over time. RevenArc may update security measures, provided the updates do not materially reduce the overall level of protection for Customer Personal Data.

8. Subprocessors

Customer provides general authorization for RevenArc to engage Subprocessors to process Customer Personal Data in connection with the Services.

RevenArc will require each Subprocessor to enter into written obligations that provide a level of data protection materially equivalent to this DPA for the relevant processing. RevenArc remains responsible for Subprocessors’ performance of their data protection obligations to the extent required by Applicable Data Protection Laws.

Current or expected Subprocessors and integration providers are listed in Appendix C. RevenArc will maintain current subprocessor information and may update Appendix C or a public subprocessor page from time to time. If required by Applicable Data Protection Laws or the Agreement, RevenArc will provide notice of new or replacement Subprocessors and allow Customer a reasonable opportunity to object based on material data protection concerns.

If Customer objects to a Subprocessor and RevenArc cannot reasonably accommodate the objection, either party may terminate the affected Services as provided in the Agreement.

9. Data Subject and Consumer Requests

Taking into account the nature of the processing and information available to RevenArc, RevenArc will provide reasonable assistance to Customer to enable Customer to respond to Data Subject requests, including requests to know, access, delete, correct, port, opt out, limit, restrict, object, or appeal where applicable.

If RevenArc receives a request directly from a Data Subject concerning Customer Personal Data, RevenArc may refer the request to Customer and will not respond substantively unless instructed by Customer or required by law.

10. Security Incident Notification

If RevenArc confirms a Security Incident affecting Customer Personal Data, RevenArc will notify Customer without undue delay and, where practicable, within 72 hours after confirmation, unless prohibited by law.

The notice will include information reasonably available to RevenArc, which may include the nature of the Security Incident, affected categories of Customer Personal Data, affected Data Subjects, steps taken or planned to address the incident, and contact information for follow-up. RevenArc’s notification is not an admission of fault or liability.

Customer is responsible for determining whether to notify Data Subjects, regulators, customers, employees, or other third parties, unless applicable law requires otherwise.

11. Assistance with Compliance

Taking into account the nature of processing and information available to RevenArc, RevenArc will provide reasonable assistance with Customer’s obligations concerning:

• security of processing;
• breach notifications;
• data protection impact assessments;
• risk assessments;
• cybersecurity assessments or audits where applicable;
• regulator consultations where required by law.

RevenArc may charge reasonable fees for assistance that is not included in the Services or is required because of Customer’s specific instructions, unless prohibited by law.

12. Audits and Information Rights

Upon reasonable written request and subject to confidentiality restrictions, RevenArc will make available information reasonably necessary to demonstrate compliance with this DPA.

Where available, RevenArc may satisfy audit obligations by providing security documentation, summaries, questionnaires, certifications, attestations, third-party reports, or similar materials. Customer may request an audit no more than once per year unless required by a regulator, required by law, or following a confirmed Security Incident affecting Customer Personal Data.

Any audit must be conducted during normal business hours, with reasonable advance notice, without disrupting RevenArc’s operations, and subject to confidentiality, security, and access restrictions. Customer may not conduct penetration testing, vulnerability scanning, social engineering, or technical testing of RevenArc systems without prior written authorization.

13. Return and Deletion

Upon termination or expiration of the Services, RevenArc will delete or return Customer Personal Data according to the Agreement, product functionality, and Customer’s documented instructions, unless retention is required or permitted by law.

Customer Personal Data stored in backups may be retained until overwritten or deleted through ordinary backup cycles, provided it remains protected and is not used for any purpose other than backup, security, continuity, or legal compliance.

14. De-Identified and Aggregated Data

RevenArc may process aggregated, anonymized, or de-identified data derived from Customer Data for analytics, benchmarking, product improvement, research, and business purposes, provided the data does not identify Customer, Data Subjects, or individuals and is not reasonably capable of being re-identified.

Where CCPA applies, RevenArc will take reasonable measures to ensure de-identified information cannot be associated with a consumer or household, publicly commit to maintaining and using de-identified information without attempting to re-identify it, and contractually require recipients to comply with applicable de-identification obligations.

15. CCPA Service Provider and Contractor Terms

For Customer Personal Data subject to the CCPA, RevenArc will act as a service provider or contractor and will:

• process Customer Personal Data only for the limited and specified purposes described in the Agreement, this DPA, or Customer’s documented instructions;
• not sell or share Customer Personal Data;
• not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, this DPA, or as otherwise permitted by the CCPA;
• not retain, use, or disclose Customer Personal Data outside the direct business relationship between RevenArc and Customer except as permitted by the CCPA;
• not combine Customer Personal Data with personal information received from another source except as permitted by the CCPA;
• comply with applicable CCPA obligations and provide the same level of privacy protection required by the CCPA for the relevant processing;
• notify Customer if RevenArc determines it can no longer meet its CCPA obligations;
• allow Customer to take reasonable and appropriate steps to help ensure RevenArc’s use of Customer Personal Data is consistent with Customer’s CCPA obligations;
• allow Customer, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data;
• require Subprocessors to comply with materially equivalent CCPA service provider or contractor obligations.

16. U.S. State Privacy Laws

For Customer Personal Data subject to U.S. state privacy laws other than the CCPA, RevenArc will process Customer Personal Data as a processor or equivalent service provider role under Customer’s instructions and will comply with applicable contractual obligations required for processors under those laws, including confidentiality, security, assistance with rights requests, deletion or return, audit support, subprocessor flow-down obligations, and restrictions on unauthorized processing.

17. GDPR and UK GDPR Terms

Where Customer Personal Data is subject to the GDPR or UK GDPR, this DPA is intended to satisfy Article 28 requirements. RevenArc will:

• process Customer Personal Data only on Customer’s documented instructions;
• ensure confidentiality of authorized personnel;
• implement appropriate security measures;
• engage Subprocessors only with Customer’s general authorization and appropriate flow-down obligations;
• assist Customer with Data Subject rights requests;
• assist Customer with security, breach notification, DPIAs, and regulator consultation obligations;
• delete or return Customer Personal Data at the end of the Services, unless law requires retention;
• make information available to demonstrate compliance and allow audits as described in this DPA.

18. International Transfers

Customer acknowledges that RevenArc is based in the United States and may process Customer Personal Data in the United States and other jurisdictions where RevenArc, its affiliates, or Subprocessors operate.

Where Customer Personal Data subject to GDPR, UK GDPR, or Swiss data protection law is transferred to a country that has not been recognized as providing adequate protection, the parties will rely on an appropriate transfer mechanism, such as the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum or International Data Transfer Agreement, the Swiss addendum or adaptations, or another lawful mechanism.

Where the European Commission Standard Contractual Clauses apply:

• Module Two applies where Customer is a controller and RevenArc is a processor;
• Module Three applies where Customer is a processor and RevenArc is a subprocessor;
• the optional docking clause applies;
• the subprocessor authorization option is general authorization;
• the governing law and forum are selected as permitted by the applicable clauses and, where required, will be a jurisdiction that allows Data Subjects to enforce rights under the clauses;
• the appendices to this DPA are deemed to complete the annexes to the clauses to the extent applicable.

If there is a conflict between this DPA and an applicable transfer mechanism, the transfer mechanism controls to the extent of the conflict.

19. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to processing of Customer Personal Data. If there is a conflict between this DPA and the Standard Contractual Clauses or another mandatory data transfer mechanism, the mandatory transfer mechanism controls.

20. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.

21. Contact

Questions about this DPA may be sent to:

RevenArc LLC
Email: privacy@revenarc.com

Legal notices relating to the Agreement may be sent to legal@revenarc.com.

A.1 Subject Matter

RevenArc processes Customer Personal Data to provide AI-powered revenue intelligence, analytics, dashboards, staff enablement, Academy, integrations, reports, coaching briefs, customer success, support, security, and related services for hospitality businesses.

A.2 Duration

Customer Personal Data is processed for the term of the Agreement and as necessary for deletion, return, backup, legal compliance, dispute resolution, security, and legitimate business retention obligations.

A.3 Nature and Purpose of Processing

The processing includes collection, receipt, hosting, storage, organization, normalization, retrieval, analysis, transformation, enrichment, display, transmission, disclosure to authorized Subprocessors and integrations, deletion, and return.

The purposes include providing the Services, integrating with customer systems, generating analytics and Outputs, supporting Academy training, providing customer support, maintaining security, improving Services, and complying with the Agreement and law.

A.4 Categories of Data Subjects

Customer Personal Data may relate to:

• Customer administrators and Authorized Users;
• hotel, restaurant, outlet, spa, and hospitality staff;
• guests, patrons, customers, loyalty members, and reservation contacts of Customer;
• business contacts, vendors, and representatives;
• support contacts and implementation stakeholders.

A.5 Categories of Personal Data

Customer Personal Data may include:

• identifiers and contact information;
• business role, department, location, and account permissions;
• reservation, stay, folio, order, outlet, menu, transaction, service, and guest-journey information;
• guest preferences, notes, segments, and operational context provided by Customer;
• staff training progress, Academy activity, coaching activity, performance metrics, and role-specific analytics;
• PMS, POS, CRM, reservation, learning, and integration metadata;
• communications, support tickets, implementation notes, and user-submitted content;
• device, log, authentication, usage, and security information;
• reports, dashboards, summaries, recommendations, and AI-generated Outputs derived from Customer Data.

A.6 Sensitive Personal Data

The Services are not designed to require sensitive personal data. Customer must not submit sensitive personal data unless authorized in writing and legally permitted. If Customer submits sensitive personal data, RevenArc will process it according to Customer’s documented instructions and this DPA.

A.7 Frequency of Processing

Continuous or as initiated by Customer, Authorized Users, integrations, product configurations, support requests, or scheduled processing jobs.

A.8 Transfers

Customer Personal Data may be processed in the United States and other jurisdictions where RevenArc or approved Subprocessors operate, subject to this DPA and applicable transfer mechanisms.

Appendix B: Technical and Organizational Measures

RevenArc’s technical and organizational measures include, as applicable and appropriate to the Services:

B.1 Governance

• security ownership and operational responsibility;
• written policies and procedures for confidentiality, access, incident response, and data handling;
• periodic review of security risks and controls;
• personnel confidentiality obligations.

B.2 Access Control

RevenArc uses role-based access controls, authentication procedures, least-privilege access practices, and administrative restrictions designed to limit access to Customer Personal Data to authorized users, personnel, and systems. Customer administrators are responsible for assigning user roles and permissions.

RevenArc may use a gateway architecture for public application access. The gateway manages public login, logout, browser session issuance, product routing, route scoping, and signed identity headers for downstream product services. Product applications are designed to accept authenticated identity from the gateway and enforce product- and role-specific access controls.

RevenArc may use internal service keys for trusted automation, support, monitoring, administrative workflows, or service-to-service operations. Internal service keys are restricted to authorized systems and personnel and are rotated or revoked as appropriate.

B.3 Encryption and Transmission Security

• encryption in transit using industry-standard protocols;
• encryption or equivalent safeguards for data at rest where appropriate;
• secure configuration of production systems and services.

B.4 Availability, Backup, and Recovery

RevenArc uses cloud infrastructure, backup, restoration, monitoring, and operational procedures designed to support availability and recovery. Current or expected infrastructure may include Railway for application runtime and Vercel/v0 for website deployment, depending on the Services or website components involved.

Certain pilot, demo, or prototype environments may use seeded demo data, limited-scope test data, or prototype storage. Customer production data should be processed only in environments approved for customer use and governed by the applicable Agreement, Order Form, DPA, and security controls.

B.5 Logging and Monitoring

• system, application, authentication, and security logging;
• monitoring for anomalous activity, errors, and security events;
• log retention appropriate for security, troubleshooting, and compliance.

B.6 Secure Development and Vulnerability Management

• code review and testing practices;
• dependency and vulnerability review;
• remediation based on severity and risk;
• change management and deployment controls.

B.7 Data Segregation and Tenant Controls

• logical separation of customer accounts and permissions;
• controls designed to restrict access to Customer Data to authorized users and systems;
• product permissioning for customer administrators.

B.8 Vendor Management

RevenArc reviews vendors and subprocessors that may access Customer Personal Data and requires appropriate confidentiality, security, and data protection obligations. Subprocessors may be used for hosting, infrastructure, AI inference, website deployment, analytics, communications, support, security, payment processing, and product operations.

Customer-directed PMS, POS, reservation, spa, CRM, payment, and similar integrations may be governed by the customer’s direct relationship with the connected provider and may be used only when authorized or configured by Customer.

B.9 Incident Response

• procedures for identifying, investigating, escalating, containing, and remediating Security Incidents;
• customer notification procedures for confirmed Security Incidents affecting Customer Personal Data;
• post-incident review where appropriate.

B.10 Data Minimization and Retention

• processing limited to Services, customer instructions, legal compliance, and legitimate operational purposes;
• retention and deletion practices based on the Agreement, product settings, legal obligations, and backup cycles;
• controls for aggregated or de-identified data.

Appendix C: Current Subprocessors and Integration Providers

RevenArc’s current or expected subprocessors and integration providers include the following, as applicable to the Services purchased, website features used, and integrations enabled by Customer. Some providers may function as customer-directed integration providers rather than RevenArc subprocessors in every context.

RevenArc may update this appendix or maintain a separate public subprocessor page. Questions may be sent to privacy@revenarc.com.