RevStack Data Processing Agreement
Effective Date: June 29, 2026 Last Updated: June 29, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between RevStack LLC ("RevStack," "Processor," "Service Provider," "we," or "us") and the customer that has agreed to the RevStack Terms of Service ("Customer," "Controller," or "you") (together, the "Agreement") and governs RevStack's processing of Personal Data on Customer's behalf in connection with the Services.
1. Parties and Roles
For the personal data of Customer's leads, prospects, and customers processed through the Services ("Customer Personal Data"):
- Customer is the Controller (and, under the CCPA, the Business). Customer determines the purposes and means of processing.
- RevStack is the Processor (and, under the CCPA, the Service Provider). RevStack processes Customer Personal Data only on Customer's documented instructions and to provide the Services.
- Sub-processors are the third parties RevStack engages to help deliver the Services, listed in Annex 3.
To the extent RevStack processes information as a controller (for example, account, billing, and Site-visitor data), that processing is governed by the RevStack Privacy Policy, not this DPA.
2. Definitions
Capitalized terms not defined here have the meaning given in the Agreement. For this DPA:
- "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing, including the EU/UK General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act as amended ("CCPA").
- "Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given under GDPR (or their equivalents under other Applicable Data Protection Law).
- "Business," "Service Provider," "Sale," "Share," and "Consumer" have the meanings given under the CCPA.
- "Standard Contractual Clauses" / "SCCs" means the clauses approved for international transfers of Personal Data, where applicable.
3. Processing on Documented Instructions
RevStack will process Customer Personal Data only:
- to provide, maintain, and support the Services;
- in accordance with Customer's documented instructions, including those in the Agreement and this DPA; and
- as otherwise required by law (in which case RevStack will, where legally permitted, notify Customer first).
RevStack will not process Customer Personal Data for any other purpose, and will not retain, use, or disclose it outside the direct business relationship or for any purpose other than the Services, except as permitted by Applicable Data Protection Law. The Details of Processing are set out in Annex 1.
4. Confidentiality
RevStack will ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as needed to perform the Services.
5. Security Measures
RevStack will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature and risk of the processing. Those measures are described in Annex 2.
6. Sub-Processors
- Authorization. Customer authorizes RevStack to engage the sub-processors listed in Annex 3 to process Customer Personal Data.
- Flow-down terms. RevStack will impose data protection obligations on each sub-processor that are substantially the same as those in this DPA, and remains responsible for each sub-processor's performance.
- Changes and right to object. RevStack will provide notice (for example, by updating Annex 3 or its website) before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds within thirty (30) days of such notice; if the parties cannot resolve the objection, Customer may terminate the affected Services.
7. Assistance with Data-Subject Rights
Taking into account the nature of the processing, RevStack will provide reasonable assistance to enable Customer to respond to requests from Data Subjects (or Consumers) to exercise their rights of access, correction, deletion, restriction, portability, and objection (or opt-out). If RevStack receives such a request directly, it will, where permitted, promptly forward it to Customer and not respond except on Customer's instructions.
8. Personal Data Breach Notification
RevStack will notify Customer without undue delay, and in any case within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and the measures taken or proposed. RevStack will reasonably cooperate with Customer's investigation and remediation.
9. Audits
RevStack will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or a mutually agreed independent auditor, on reasonable prior notice, no more than once per year (except where required by a regulator or following a Personal Data Breach), during business hours, and subject to confidentiality. RevStack may satisfy audit requests by providing relevant third-party certifications or reports where available.
10. International Transfers
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism, including the Standard Contractual Clauses, which are incorporated by reference where applicable. RevStack is primarily US-facing; international transfers are handled via Standard Contractual Clauses where applicable.
11. Deletion or Return on Termination
On termination or expiry of the Services, and at Customer's choice, RevStack will delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by law. Deletion timelines are subject to backup-rotation cycles and sub-processor capabilities. RevStack will delete or return Customer Personal Data within thirty (30) days of termination or expiry of the Services, except to the extent retention is required by law.
12. CCPA Terms (Service Provider)
With respect to Customer Personal Data subject to the CCPA, RevStack acts as a Service Provider and certifies that it will not:
- Sell or Share Customer Personal Data;
- retain, use, or disclose Customer Personal Data for any purpose other than performing the Services, or outside the direct business relationship, or for a commercial purpose other than the Services; or
- combine Customer Personal Data with other data except as permitted by the CCPA.
RevStack will comply with applicable CCPA obligations and will notify Customer if it determines it can no longer meet its obligations as a Service Provider.
13. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls; for international transfers, the SCCs (where applicable) control over this DPA.
Annex 1 — Details of Processing
- Subject matter: RevStack's provision of the AI front-of-house Services to Customer.
- Duration: For the term of the Agreement, plus any post-termination retention period in Section 11.
- Nature and purpose: Receiving, answering, and returning calls and messages; recording and transcribing calls; booking and managing appointments and estimates; recovering missed calls; requesting reviews; maintaining CRM records; social posting; billing support; and lead-attribution reporting on Customer's behalf.
- Types of Personal Data: Names; phone numbers; email addresses; physical/project addresses; the content of communications (calls, SMS, web chat, social messages, email); call recordings and transcripts; appointment, estimate, project, and lead-attribution details; and other data Customer provides or generates through the Services.
- Categories of Data Subjects: Customer's leads, prospects, and customers (e.g., homeowners and businesses contacting the Customer), and Customer's personnel who use the Services.
- Special categories of data: Generally not intended to be processed; Customer should not submit special-category data through the Services.
Annex 2 — Technical and Organizational Security Measures
RevStack maintains measures including, as applicable:
- Encryption of data in transit (TLS) and reliance on providers that encrypt data at rest.
- Access controls — role-based access, least-privilege, and unique credentials; multi-factor authentication for administrative access where supported.
- Network and application security — use of reputable infrastructure (e.g., Cloudflare) for DDoS protection, firewalling, and CDN security.
- Secrets management — credentials stored in a secrets manager, not in code or chat.
- Logging and monitoring of administrative and processing activity.
- Sub-processor diligence — engaging established providers with their own security programs.
- Personnel — confidentiality obligations and need-to-know access.
- Incident response — procedures to detect, investigate, and report Personal Data Breaches.
- Data minimization and retention controls aligned with the Agreement.
Annex 3 — Approved Sub-Processors
| Sub-processor | Service / Purpose | Notes |
|---|---|---|
| HighLevel Inc. (GoHighLevel) — including its native AI voice and conversational features | CRM, marketing automation, AI agent platform, native AI voice/chat, data hosting | Core platform; AI voice/chat delivered via GoHighLevel's native AI |
| Twilio / LeadConnector | Telephony, call routing, SMS | |
| Stripe | Payment processing | |
| Cloudflare | Website hosting, CDN, security | |
| Resend | Transactional / notification email | |
| Google (Google Workspace) | Email and productivity |