Data Processing Agreement

Last updated: 22/05/2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Reviso (“Processor”, “we”, “us”), 182 Vivian Street, Wellington, New Zealand, and the customer agreeing to those Terms (“Controller”, “you”). It applies where, and only to the extent that, we process personal data on your behalf in connection with the Reviso plugin or our support services. If there is a conflict between this DPA and the Terms regarding data protection, this DPA prevails.

1. Roles

For personal data that the Plugin stores on your WordPress site (reviewer names, emails, comments, screenshots, attachments, technical context, and approval records), you are the Controller and we are the Processor only where we actually process it on your behalf – for example when you grant us support access, or when a cloud-assisted feature is used. We are not a Processor for data that never leaves your infrastructure. For our own website and sales data we are an independent Controller, governed by our Privacy Policy.

2. Subject matter, nature & purpose

We process personal data only to (a) provide and support the Plugin and Site, (b) carry out features you enable, and (c) comply with law. Processing lasts for the duration of your license plus any period required to provide support or meet legal obligations.

3. Types of data & data subjects

  • Data subjects: your reviewers, clients, and team members.
  • Data types: names, email addresses, comment and reply content, screenshots and attachments, page/element metadata, technical context (browser, OS, viewport, page URL, JavaScript errors), and approval records (including IP address and user-agent).

4. Your instructions

We process personal data only on your documented instructions (including via your configuration of the Plugin), unless required to do otherwise by law, in which case we will inform you where legally permitted. You are responsible for ensuring you have a lawful basis and any necessary consents to collect and process the data, and that your instructions comply with applicable law.

5. Confidentiality

We ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.

6. Security

We implement reasonable technical and organisational measures appropriate to the risk, including access controls, encryption in transit for data we transmit, and least-privilege support access. You remain responsible for securing your own WordPress installation, hosting, backups, and review links.

7. Subprocessors

You authorise us to engage subprocessors to support our services. Current and potential subprocessors include:

  • Lemon Squeezy – billing and licensing;
  • Postmark / ActiveCampaign – transactional and marketing email;
  • Vultr – website hosting;
  • Anthropic, OpenAI – only where you enable AI features (these run using your own API key and are subprocessors of the resulting processing).

We impose data-protection obligations on subprocessors no less protective than this DPA, and remain responsible for their performance. We will give you reasonable notice of any intended addition or replacement of a subprocessor so you may object on reasonable grounds.

8. International transfers

Where personal data is transferred across borders, we rely on appropriate safeguards such as the Standard Contractual Clauses or an equivalent transfer mechanism, which are incorporated into this DPA by reference where applicable.

9. Assistance

Taking into account the nature of processing, we will provide reasonable assistance to help you (a) respond to data-subject requests (access, correction, deletion, portability, objection), and (b) meet your obligations around security, breach notification, and data-protection impact assessments.

10. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting data we process on your behalf, and provide information reasonably available to help you meet your notification obligations.

11. Return & deletion

Because Plugin data is stored in your database, you control its retention and deletion at all times. For any personal data we hold as Processor (e.g. via support access), we will delete or return it on termination, except where retention is required by law. The Plugin also provides a “delete data on uninstall” option to remove its stored data from your site.

12. Audits

On reasonable written request and no more than once per year (unless required by a supervisory authority), we will make available information necessary to demonstrate compliance with this DPA, subject to confidentiality and the protection of other customers’ data.

13. How to execute this DPA

This DPA is offered as a standard agreement. To put a countersigned copy in place, or to request a version on your own paper, email ben@getreviso.io. Your continued use of the Plugin after enabling features that involve us as Processor constitutes acceptance of this DPA.

14. Contact

Reviso, 182 Vivian Street, Wellington, New Zealand
Email: ben@getreviso.io