Skip to main content

Data Processing Addendum

Last updated May 2, 2026

This Data Processing Addendum ("DPA") supplements the Relyv Terms of Service and applies when Relyv processes Personal Data on behalf of a Customer who is subject to the GDPR, UK GDPR, or comparable data-protection laws. By using the Service to record end-user interactions, the Customer accepts this DPA.

1. Roles

The Customer is the Controller of Personal Data captured by the Relyv SDK on Customer properties. Relyv is the Processor and processes such data only on the documented instructions of the Customer (the dashboard configuration, the SDK install parameters, and the support requests the Customer submits).

2. Subject-matter and duration

Subject-matter: provision of the relyv.ai Service. Duration: for as long as the Customer's account is active, plus the post-termination retention windows specified in the Privacy Policy.

3. Categories of data subjects

End-users browsing or interacting with the Customer's websites or applications where the Relyv SDK is deployed.

4. Categories of personal data

Identifiers (anonymous session ID, optional user ID supplied by the Customer), interaction data (clicks, scrolls, page views, console errors, network request metadata), serialised DOM (post-PII-masking), device + browser metadata. Sensitive personal data should be masked at capture time using the SDK's element masking.

5. Sub-processors

The Customer authorises the engagement of the sub-processors listed at relyv.ai/dpa#sub-processors. Relyv will give 30 days' notice (via dashboard banner + email) before adding a new sub-processor. The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected service.

6. Security measures

Relyv maintains industry-standard technical and organisational measures: encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, audit logging, annual penetration testing, and an incident-response runbook. Access to production data is limited to a small named group of engineers and audited.

7. Data-subject requests

Where Relyv receives a data-subject request that relates to Customer Data, Relyv will not respond directly (except to acknowledge) and will forward the request to the Customer within three business days. The Customer is responsible for substantive responses. Relyv provides tooling (data export, delete-by-user) to assist.

8. Personal-data breach notification

Relyv will notify the Customer without undue delay (and within 72 hours where feasible) of any confirmed Personal Data Breach affecting Customer Data, and will provide the information reasonably necessary for the Customer to meet its own notification obligations.

9. International transfers

Where transfers from the EEA/UK to a third country occur, the parties rely on the EU SCCs (module 2: controller-to-processor) and the UK Addendum where applicable. The text is incorporated by reference. Transfer Impact Assessments are available on request.

10. Audit

Relyv makes available to the Customer the most recent third-party audit reports (SOC 2 Type II once issued; until then, the SOC 2 readiness assessment) and reasonable supplementary information needed to demonstrate compliance, no more than once per year.

11. Return and deletion

On termination, Relyv will, at the Customer's choice, return or delete Customer Data within the windows described in the Privacy Policy.