Data Processing Agreement

Home / Legal / Data Processing Agreement

This DPA is entered into between NexTech Advisors, LLC d/b/a Rivvet AI (“Processor”) and the client identified in the applicable Service Order (“Controller” or “Client”), and is incorporated into the MSA at rivvetai.com/legal/msa.

1. DEFINITIONS

“Applicable Privacy Laws” means U.S. state privacy laws applicable to the processing of Client Data, including the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA) and comparable laws such as the Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and Oregon CPA, in each case as amended.

“Client Data” has the meaning set forth in the MSA and constitutes “Personal Information” (or the equivalent term) as defined under Applicable Privacy Laws.

“Consumer” means a natural person who is a resident of a state with Applicable Privacy Laws and whose Personal Information is included in Client Data.

“Processing” means any operation performed on Personal Information, including collection, recording, storage, use, disclosure, deletion, and destruction.

“Service Provider / Processor” means an entity that processes Personal Information on behalf of a controller. Processor acknowledges it acts in this capacity with respect to Client Data.

“Subprocessor” means any third party engaged by Processor to process Personal Information on behalf of Controller.

2. PROCESSOR OBLIGATIONS

2.1 Processing Instructions.

Processor shall process Client Data only: (a) in accordance with Controller’s documented instructions as set forth in the MSA, the Order, and this DPA; (b) as necessary to provide the Services; and (c) as required by applicable law, in which case Processor shall inform Controller before processing unless prohibited by law.

2.2 Service Provider / Processor Restrictions.

Processor shall not: (a) sell or share Client Data; (b) retain, use, or disclose Client Data for any purpose other than providing the Services; (c) retain, use, or disclose Client Data outside the direct business relationship between the parties; or (d) combine Client Data with personal information received from or on behalf of other clients, except as permitted by Applicable Privacy Laws. Processor certifies it understands and will comply with these restrictions.

2.3 Confidentiality.

Processor shall ensure that all personnel authorized to process Client Data are bound by appropriate confidentiality obligations.

2.4 Security.

Processor shall implement and maintain commercially reasonable technical and organizational measures designed to protect Client Data against unauthorized access, disclosure, alteration, or destruction, including: encryption in transit (TLS 1.2+) and at rest; role-based access controls; authentication requirements; monitoring and logging; and subprocessor security assessments. Additional detail is in Rivvet’s Security Overview at rivvetai.com/legal/security.

2.5 Subprocessors.

Controller authorizes Processor to engage the Subprocessors identified on Processor’s current Subprocessor List (see Schedule A). Processor shall: (a) enter into binding agreements with each Subprocessor imposing obligations at least as protective as this DPA; and (b) remain liable for the acts and omissions of its Subprocessors. Processor will provide at least thirty (30) days’ prior notice of any addition or replacement of a Subprocessor, during which Controller may object on reasonable data-protection grounds.

2.6 Consumer Rights Assistance.

Processor shall provide commercially reasonable assistance to Controller in fulfilling Consumer requests under Applicable Privacy Laws, including access, deletion, correction, portability, and opt-out. Processor shall forward any Consumer request it receives directly to Controller within five (5) business days.

2.7 Data Breach Notification.

Processor shall notify Controller without undue delay, and in no event later than seventy-two (72) hours after confirming a breach of security affecting Client Data. The notice shall describe, to the extent known: (a) the nature of the breach; (b) the categories and approximate number of individuals affected; (c) the categories and approximate volume of records affected; (d) likely consequences; and (e) measures taken or proposed.

2.8 Data Deletion and Return.

On termination of the MSA, Processor shall, at Controller’s written request made within thirty (30) days of termination, export Client Data in a commercially reasonable format, and shall securely delete Client Data within ninety (90) days of termination, subject to legal retention requirements. Processor shall certify deletion in writing on request.

2.9 Audits.

On Controller’s written request with at least thirty (30) days’ notice, and no more than once per calendar year, Processor shall provide documentation reasonably necessary to demonstrate compliance with this DPA. Controller may conduct an audit at its own expense, subject to reasonable confidentiality obligations.

3. CONTROLLER OBLIGATIONS

Controller represents and warrants that: (a) it has the authority to provide Client Data to Processor; (b) it has obtained all required consents and provided all required notices to Consumers; (c) it will comply with Applicable Privacy Laws in its instructions to Processor; and (d) it will not instruct Processor to process Client Data in a manner that violates applicable law.

4. STATE-LAW SERVICE PROVIDER PROVISIONS

To the extent Client Data includes Personal Information subject to the CCPA/CPRA: Processor is a “Service Provider,” processes Personal Information only for the business purpose of providing the Services, will not disclose it to any third party other than authorized Subprocessors, and will delete it on Controller’s request and direct Subprocessors to do the same. Processor extends equivalent commitments under comparable Applicable Privacy Laws to the extent they impose service-provider or processor contracting requirements.

5. AI-SPECIFIC DATA PROCESSING

Controller acknowledges that:

• Rivvet’s AI employees and hosted applications process conversational and submitted data in real time to generate responses. This processing is transient and necessary to provide the Services.
• Call recordings, transcripts, and submitted content may be retained for quality assurance, service improvement, and dispute resolution for up to 90 days unless Controller requests shorter retention or the Order specifies otherwise.
• Processor uses commercially reasonable measures to prevent AI models from retaining or learning from Client Data beyond the scope of service delivery.
• Processor’s AI model and infrastructure providers are identified on the Subprocessor List and are bound by enterprise data processing terms under which they do not train foundation models on Client Data.

6. GENERAL PROVISIONS

This DPA is incorporated into and governed by the MSA. In the event of a conflict between this DPA and the MSA with respect to data-processing obligations, this DPA controls; all other MSA terms apply. This DPA terminates with the MSA.

SCHEDULE A — AUTHORIZED SUBPROCESSORS

Controller authorizes Processor to engage the Subprocessors identified on Processor’s current Subprocessor List, which Processor provides to Controller on written request to legal@rivvetai.com. The list identifies each Subprocessor, its processing purpose, the categories of data processed, and its location. Processor provides at least thirty (30) days’ prior notice of any addition or replacement, consistent with Section 2.5.