This Data Processing Addendum, including its Annexes ("DPA"), forms part of the Terms of Service or other written agreement (the "Agreement") between:
- 6th Sense Interactive LLC (doing business as "Ravela") ("Ravela," "we," "us," "Processor"); and
- the customer that has accepted the Agreement (the "Customer," "you," "Controller").
This DPA governs our processing of Customer Personal Data (defined below) on the Customer's behalf in connection with the Ravela services (the "Services"). If there is any conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls.
Effective date: the date the Customer accepts the Agreement, or the date this DPA is signed, whichever is earlier.
1. Definitions
Capitalized terms not defined here have the meaning in the Agreement. For this DPA:
- "Applicable Data Protection Law" means all laws applicable to the processing of Customer Personal Data under this DPA, including, as applicable: the EU General Data Protection Regulation 2016/679 ("GDPR"); the UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("FADP"); the California Consumer Privacy Act as amended by the CPRA ("CCPA"); and other U.S. state privacy laws.
- "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Personal Data Breach" have the meanings in the GDPR (and equivalent terms — such as "Business," "Service Provider," and "Consumer" under the CCPA — apply correspondingly).
- "Customer Personal Data" means Personal Data that we process on the Customer's behalf under the Agreement, as described in Annex I. This includes Personal Data of the Customer's End Users (for example, the content of direct messages, contact records, captured emails, and storefront order data). It does not include Personal Data for which we are an independent Controller (for example, the Customer's own account and billing data), which is governed by our Privacy Policy.
- "Standard Contractual Clauses" / "EU SCCs" means the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under s.119A of the UK Data Protection Act 2018.
- "Sub-processor" means any third party we engage to process Customer Personal Data.
2. Roles and Scope of Processing
2.1 Roles. With respect to Customer Personal Data, the Customer is the Controller (or a Processor acting on behalf of a third-party Controller), and we are the Processor (or Sub-processor). Under the CCPA, the Customer is the Business and we are a Service Provider.
2.2 Customer responsibilities. The Customer is responsible for the lawfulness of its collection and use of Customer Personal Data, including establishing a lawful basis, providing required notices to Data Subjects, and obtaining any required consents (see the Agreement, including the messaging and email consent obligations). The Customer's instructions to us must comply with Applicable Data Protection Law.
2.3 Our processing. We will process Customer Personal Data only as a Processor/Service Provider, as described in this DPA and Annex I.
3. Processing Instructions
3.1 Documented instructions. We will process Customer Personal Data only on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's use and configuration of the Services, and as necessary to provide and secure the Services and to comply with law.
3.2 Conflicting instructions / legal requirements. We will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law (without obligation to provide legal advice). If we are required by law to process Customer Personal Data other than on the Customer's instructions, we will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
4. Confidentiality
We will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training on their responsibilities. We limit access to Customer Personal Data to personnel who need it to provide the Services.
5. Security
5.1 Security measures. We will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing. Our current measures are described in Annex II.
5.2 Updates. We may update our security measures over time, provided that the updates do not materially reduce the overall level of protection of Customer Personal Data.
6. Sub-processors
6.1 General authorization. The Customer provides general authorization for us to engage Sub-processors to process Customer Personal Data, subject to this Section 6. Our current Sub-processors are listed in Annex III.
6.2 Sub-processor obligations. Before a Sub-processor processes Customer Personal Data, we will impose data-protection obligations on it that are no less protective than those in this DPA (the "flow-down"), and we remain responsible for the Sub-processor's performance of those obligations.
6.3 Notice of changes and objection. We will provide notice of any intended addition or replacement of a Sub-processor (for example, by updating Annex III / the sub-processor list and/or by email where the Customer subscribes to notifications) at least 30 days before the change. The Customer may object on reasonable, data-protection-related grounds within 14 days of notice. The parties will work in good faith to resolve the objection; if it cannot be resolved, the Customer may, as its sole remedy, terminate the affected portion of the Services.
7. Assistance to the Controller
7.1 Data-subject requests. Taking into account the nature of the processing, we will provide reasonable assistance (through appropriate technical and organizational measures, and the self-service features of the Services) to help the Customer respond to Data Subjects exercising their rights under Applicable Data Protection Law. If we receive a request directly from a Data Subject regarding Customer Personal Data, we will, where lawful, refer the Data Subject to the Customer and/or promptly notify the Customer.
7.2 DPIAs and consultations. Taking into account the nature of processing and information available to us, we will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, as required by Articles 35–36 of the GDPR.
8. Personal Data Breach Notification
We will notify the Customer without undue delay (and, where feasible, no later than 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and the measures taken or proposed to address it. We will take reasonable steps to mitigate and remediate the breach. Our notification is not an acknowledgment of fault or liability.
9. Return and Deletion of Customer Personal Data
Upon termination or expiry of the Agreement, and at the Customer's choice, we will delete or return Customer Personal Data, and delete existing copies, unless retention is required by law. The Customer may export or retrieve Customer Personal Data using the features of the Services before termination. After a reasonable period following termination, and subject to limited routine backup retention (which will be deleted in the ordinary course) and any legal retention requirement, we will delete Customer Personal Data.
10. Audits
10.1 Information. We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.
10.2 Audits. Where required by Applicable Data Protection Law, we will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. To minimize disruption and protect confidentiality and security: (a) audits will occur on reasonable prior notice (at least 30 days, except where Applicable Data Protection Law or a supervisory authority requires otherwise), no more than once per year (except following a Personal Data Breach or as required by a supervisory authority); (b) we may satisfy audit requests by providing relevant third-party certifications, audit reports (for example, SOC 2 or ISO 27001 reports, if available), and responses to a reasonable security questionnaire; and (c) the Customer will bear its own audit costs and conduct audits during business hours.
11. International Data Transfers
11.1 General. The Customer authorizes us and our Sub-processors to transfer and process Customer Personal Data in the United States and other countries where we or our Sub-processors operate, subject to the safeguards in this Section.
11.2 EU/EEA transfers. Where we process Customer Personal Data that is subject to the GDPR and transfer it to a country not subject to an adequacy decision, the EU SCCs are incorporated into this DPA by reference and apply as follows:
- Module Two (Controller-to-Processor) applies where the Customer is a Controller of Customer Personal Data; Module Three (Processor-to-Processor) applies where the Customer is itself a Processor acting on behalf of a third-party Controller.
- For each applicable Module: in Clause 7 (docking clause), the optional docking clause applies; in Clause 9, Option 2 (general written authorization) applies, with the notice period in Section 6.3 of this DPA; in Clause 11, the optional independent-dispute-resolution language does not apply; in Clause 17, the SCCs are governed by the law of Ireland; in Clause 18(b), disputes will be resolved before the courts of Ireland.
- Annex I to the SCCs is populated by Annex I of this DPA; Annex II to the SCCs is populated by Annex II of this DPA; Annex III (sub-processor list, where required) is populated by Annex III of this DPA.
11.3 UK transfers. For Customer Personal Data subject to the UK GDPR, the UK Addendum is incorporated and completed as set out in Annex I (Tables 1–4), with the EU SCCs (as modified by the UK Addendum) applying to the transfer.
11.4 Swiss transfers. For Customer Personal Data subject to the FADP, the EU SCCs apply with the modifications necessary under the FADP (including references to the Swiss Federal Data Protection and Information Commissioner and to Swiss law where appropriate).
11.5 Alternative mechanisms. If we adopt an alternative lawful transfer mechanism (for example, certification under the EU–U.S. Data Privacy Framework and UK Extension), that mechanism will apply to the relevant transfers instead of, or in addition to, the SCCs to the extent it provides a valid basis for transfer.
11.6 Conflict. In case of any conflict between the SCCs/UK Addendum and this DPA, the SCCs/UK Addendum prevail with respect to the transfers they govern.
12. CCPA / U.S. State Law Service-Provider Terms
To the extent we process Customer Personal Data that is subject to the CCPA or another U.S. state privacy law, and we act as a Service Provider (or Processor/Contractor under such laws):
12.1 We will process Customer Personal Data only for the business purpose(s) of providing the Services as specified in the Agreement and this DPA, and not for any other purpose.
12.2 We will not sell or share (as those terms are defined under the CCPA) Customer Personal Data, and will not retain, use, or disclose it (a) for any purpose other than the specified business purposes, including any commercial purpose other than providing the Services, or (b) outside the direct business relationship with the Customer.
12.3 We will not combine Customer Personal Data with Personal Data we receive from, or on behalf of, other persons, or collect directly, except as permitted by the CCPA for a Service Provider.
12.4 We certify that we understand and will comply with the restrictions in this Section 12.
12.5 We will notify the Customer if we determine that we can no longer meet our obligations under the CCPA, and the Customer may take reasonable steps to stop and remediate unauthorized use.
12.6 We will assist the Customer in responding to verifiable consumer requests as set out in Section 7.
13. General
13.1 Liability. Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. Where the EU SCCs apply, nothing in this DPA limits a Data Subject's rights under the SCCs.
13.2 Order of precedence. In the event of a conflict: (a) the EU SCCs / UK Addendum prevail over this DPA for the transfers they govern; (b) this DPA prevails over the rest of the Agreement regarding the processing of Customer Personal Data; otherwise the Agreement controls.
13.3 Changes. We may update this DPA where required to comply with Applicable Data Protection Law, to reflect Sub-processor or security changes consistent with this DPA, or to adopt updated SCCs or transfer mechanisms, provided the overall protection of Customer Personal Data is not materially reduced.
13.4 Term. This DPA takes effect on the Effective date and remains in force for as long as we process Customer Personal Data.
13.5 Signatures. Where a signed copy is required, an authorized representative of each party may sign below. Otherwise, this DPA is accepted by the Customer's acceptance of the Agreement.
| Customer (Controller) | 6th Sense Interactive LLC, d/b/a Ravela (Processor) |
|---|---|
| Signature: ________________________ | Signature: ________________________ |
| Name: ________________________ | Name: Ilfan Radoncic |
| Title: ________________________ | Title: Managing Member, 6th Sense Interactive LLC |
| Date: __________ | Date: __________ |
Annex I — Description of Processing and Transfer Details
(This Annex also populates Annex I of the EU SCCs and Tables 1–3 of the UK Addendum.)
A. List of Parties
- Data exporter (Controller): the Customer, as identified in the Agreement. Contact: the Customer's Account email / administrator. Role: Controller (or Processor on behalf of a third-party Controller).
- Data importer (Processor): 6th Sense Interactive LLC (d/b/a Ravela), New Jersey, United States; a mailing address for legal notices is available on written request to [email protected]. Contact: [email protected]. Role: Processor.
B. Description of Processing
| Item | Description |
|---|---|
| Subject matter | Our provision of the Services to the Customer. |
| Duration | The term of the Agreement plus any period until deletion/return under Section 9. |
| Nature and purpose | Hosting, storing, transmitting, and otherwise processing Customer Personal Data to operate the messaging automations, unified inbox, contact management, hosted intake forms, raffles and engagement tools, file/asset hosting and delivery (including shareable and tracked links), storefront/commerce, email automation, analytics, and AI-assisted features the Customer configures, and to secure and support the Services. |
| Categories of Data Subjects | The Customer's End Users — e.g., the Customer's social-media followers and message senders; recipients of the Customer's automated messages and emails; storefront customers; and the Customer's own personnel/team members to the extent included. |
| Categories of Personal Data | Identifiers and contact data (e.g., platform user ID and username, display name, email address); message content (text, attachments, and structured content of direct messages); custom fields and tags defined by the Customer (which may contain additional data the Customer collects); form and input responses submitted through hosted intake forms or in-chat prompts; consent and preference records; email send/engagement and suppression data; engagement events (e.g., raffle entries, tracked-link clicks, and asset/file views or downloads); storefront order data (email, order status, amounts, currency, and payment-processor identifiers — not full card data); AI feature inputs/outputs where the Customer enables optional AI-assisted features; and technical/usage data associated with the foregoing. |
| Sensitive data | Not intended to be processed. The Customer must not submit special-category or sensitive Personal Data except where lawful and necessary, and should apply any additional restrictions required. |
| Frequency | Continuous, for the duration of the Agreement. |
| Recipients | The Sub-processors listed in Annex III, for the purposes described there. |
C. Competent Supervisory Authority (EU SCCs Clause 13): the supervisory authority of the EU member state in which the Customer (data exporter) is established or, where the Customer is not established in the EU, the Irish Data Protection Commission.
D. UK Addendum Table 4 ("ending the Addendum"): the Importer and Exporter may end the Addendum as set out in the Addendum. Start date: the Effective date. Parties / governing SCCs: as above and in Section 11.
Annex II — Technical and Organizational Measures (TOMs)
(This Annex populates Annex II of the EU SCCs and reflects the measures described in Privacy Policy §9. We may update these measures as described in Section 5.2.)
| Area | Measures |
|---|---|
| Encryption at rest | Connected-platform access/refresh tokens, stored integration/payment-connection credentials, and MFA TOTP secrets are encrypted using AES-256-GCM with per-credential initialization vectors. |
| Password protection | Account passwords are stored only as salted hashes (bcrypt); never in plaintext. Recovery/backup codes are stored hashed. |
| Encryption in transit | Services are served over HTTPS/TLS. |
| Access control | Role-based access within Workspaces; least-privilege access for personnel; administrative access controls; optional multi-factor authentication with encrypted TOTP secrets and hashed recovery codes; optional admin IP allow-listing. |
| Authentication & session security | Short-lived access tokens (~15 min) and refresh tokens (~7 days) with revocation; token-version invalidation; brute-force lockouts; one-time, short-lived MFA challenge tokens. |
| Logging & monitoring | Security audit logging of authentication and security events; structured application logging; error monitoring. |
| Network & application security | Rate limiting/throttling; input validation; parameterized database queries; webhook signature verification; protections against server-side request forgery (host checks + DNS pinning) for outbound requests; restricted CORS; cross-site request protections on auth routes. |
| Segregation / multi-tenancy | Logical separation of Customer data by Workspace; access scoped per Workspace. |
| Resilience & backups | Routine backups; high-availability infrastructure. |
| Deletion | Account/Workspace deletion cascades to associated data; stored files purged; configurable retention windows for messages, flow runs, events, webhook events, and audit logs. |
| Sub-processor management | Contractual flow-down of data-protection obligations; review of Sub-processors. |
| Personnel | Confidentiality obligations and security awareness for personnel with access. |
Annex III — Authorized Sub-processors
(This Annex is the current sub-processor list referenced in Section 6.1. It is kept in sync with Privacy Policy §5.)
| Provider | Purpose | Location |
|---|---|---|
| Railway Corporation | Application hosting and databases | United States |
| Cloudflare, Inc. | DNS, CDN, email routing, security | United States |
| Amazon Web Services, Inc. | File storage (S3) and transactional email (SES) | United States |
| Stripe, Inc. | Payment processing and billing | United States |
| Meta Platforms, Inc. | Instagram/Messenger APIs for the messaging features our customers connect | United States |
| Anthropic, PBC | AI-assisted features, where enabled | United States |
| OpenAI, L.L.C. | AI-assisted features, where enabled | United States |
| Functional Software, Inc. (Sentry) | Error monitoring and application diagnostics | United States |