Data Processing Agreement (DPA)

Revive — operated by Quantum Branding LLC

1. Parties and Roles

1.1 Customer is the entity that connects a Stripe account to Revive and is identified in Stripe's OAuth authorization grant.

1.2 Revive is Quantum Branding LLC, a Wyoming limited liability company, operating the software service at https://keeprevenue.com.

1.3 For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"):

• Customer acts as the Data Controller (or Business) with respect to end-customer personal data processed by Revive.
• Revive acts as the Data Processor (or Service Provider) with respect to that data.

1.4 This DPA forms part of, and is subject to, the Revive Terms of Service available at https://keeprevenue.com/terms. In the event of a conflict between this DPA and the Terms of Service with respect to data protection, this DPA prevails.

2. Scope and Subject Matter of Processing

2.1 Subject matter. Processing of personal data of Customer's end-customers ("Data Subjects") for the purpose of recovering failed Stripe charges.

2.2 Duration. For as long as Customer's Stripe account remains connected to Revive, plus a retention period defined in Section 9.

2.3 Nature and purpose. Revive performs the following processing on Customer's behalf:

• Reads failed charges, payment intents, invoices, subscriptions, and customer metadata from Customer's connected Stripe account via the Stripe API
• Classifies each failed charge by decline code and determines an optimal retry schedule
• Initiates retry PaymentIntent API calls against Customer's Stripe account (using idempotency keys to prevent duplicate charges)
• Sends branded recovery emails from a domain controlled by Customer to the Data Subject's email address
• Stores aggregated and per-charge recovery analytics accessible to Customer via the Revive dashboard

2.4 Categories of Data Subjects. Customer's end-customers whose Stripe charges have failed and are eligible for retry.

2.5 Categories of Personal Data processed. The minimum necessary set:

• Email address
• First name / full name (where provided by Stripe)
• Stripe customer_id, charge_id, invoice_id, payment_intent_id
• Charge metadata: amount, currency, decline code, timestamps, retry attempt number
• Technical metadata for email deliverability: IP address of email opens, user agent

2.6 Data NOT processed. Revive does not process, store, or transmit:

• Full card numbers (PAN), CVV, or any card data — these remain tokenized inside Stripe
• Bank account numbers or routing numbers
• Government-issued identifiers (SSN, passport, national ID)
• Special categories of personal data under Article 9 GDPR (health, biometric, racial, religious, political, etc.)

3. Customer Instructions

3.1 Revive processes personal data only on documented instructions from Customer. The Customer's connection of a Stripe account to Revive, and Customer's configuration choices within the Revive dashboard, constitute Customer's documented instructions.

3.2 Revive will immediately inform Customer if, in Revive's opinion, an instruction infringes GDPR, UK GDPR, CCPA/CPRA, or other applicable data protection law.

3.3 Revive will not:

• Sell personal data (as "sell" is defined under CCPA/CPRA)
• Share personal data for cross-context behavioral advertising
• Retain, use, or disclose personal data for any purpose other than providing the Revive service to Customer
• Combine personal data received from Customer with personal data from any other source, except as strictly necessary to provide the service

4. Confidentiality

4.1 Revive ensures that any person authorized to process personal data is bound by a written or statutory obligation of confidentiality.

4.2 As of the Effective Date, access to production systems containing personal data is restricted to the founder (Nizzar Ben Chekroune). Any future personnel with such access will be subject to written confidentiality agreements before being granted access.

5. Security Measures (Article 32 GDPR)

5.1 Revive implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

5.1.1 Encryption

• Data in transit: TLS 1.3 enforced on all endpoints; HSTS enabled with max-age ≥ 1 year
• Data at rest: AES-256 encryption on Supabase Postgres (managed by AWS RDS)
• Secrets and API keys: encrypted at rest in Vercel environment variables

5.1.2 Access Control

• Two-factor authentication enforced on all administrative accounts (Stripe, Vercel, Supabase, Resend, GitHub, domain registrar)
• Row-Level Security (RLS) enforced on every Supabase table containing Customer data, scoped by stripe_account_id
• Production database access limited to SECURITY DEFINER RPC functions with narrow permissions; no direct table writes from application code

5.1.3 Network Security

• All traffic routed through Vercel's edge network with DDoS protection
• API endpoints protected by cron secrets, Stripe webhook signature verification, and session-scoped cookies

5.1.4 Application Security

• Idempotency keys used on all Stripe retry calls to prevent duplicate charges
• Stripe webhook signatures verified on every inbound event
• Dependencies scanned and updated on a rolling basis

5.1.5 Logging and Monitoring

• Audit logs retained for all administrative actions and Stripe API calls
• Error monitoring via Vercel runtime logs
• Daily automated business report identifying anomalous activity

5.1.6 Business Continuity

• Postgres automated daily backups retained by Supabase for 7 days (rolling)
• Application code version-controlled in Git with full deployment history
• Recovery Time Objective (RTO): 4 hours for core service restoration
• Recovery Point Objective (RPO): 24 hours (daily backup cadence)

5.2 Certifications — current status. As of the Effective Date, Revive itself does not hold SOC 2, ISO 27001, or PCI-DSS certification. The underlying infrastructure providers Revive relies on are independently certified:

5.3 Revive will pursue SOC 2 Type I certification within 12 months of the first enterprise customer that requires it, and will notify Customer upon certification.

6. Sub-processors

6.1 Customer grants Revive general authorization to engage the sub-processors listed below. Revive will notify Customer of any intended additions or replacements at least 30 days in advance by email to the address on file, giving Customer the opportunity to object on reasonable data protection grounds.

6.2 Revive imposes data protection obligations on each sub-processor that are no less protective than those in this DPA.

6.3 Revive remains fully liable to Customer for the acts and omissions of its sub-processors.

7. International Transfers

7.1 Where personal data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, the transfer is governed by the Standard Contractual Clauses (SCCs) approved by the European Commission in Decision (EU) 2021/914, Module Two (Controller to Processor), which are hereby incorporated by reference.

7.2 For transfers from the United Kingdom, the UK International Data Transfer Addendum (IDTA) to the SCCs applies.

7.3 For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

7.4 Revive has conducted a Transfer Impact Assessment for the sub-processors listed in Section 6 and concluded that supplementary measures (TLS encryption, minimum data principle, audit logs) provide adequate protection in light of the nature of data processed.

8. Data Subject Rights

8.1 Revive will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights under GDPR Chapter III and CCPA/CPRA equivalent rights, including:

• Right of access (Article 15 GDPR / § 1798.110 CCPA)
• Right to rectification (Article 16 GDPR / § 1798.106 CCPA)
• Right to erasure (Article 17 GDPR / § 1798.105 CCPA)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

8.2 If Revive receives a rights request directly from a Data Subject, Revive will forward it to Customer without undue delay and will not respond to the Data Subject directly except to acknowledge receipt.

8.3 Customer can initiate a data export or deletion for a specific Stripe customer by contacting nizzar@keeprevenue.com. Revive will complete the action within 30 days.

9. Retention and Return/Deletion

9.1 During the term. Revive retains personal data only as long as necessary to provide the service.

9.2 Upon termination or disconnection. Within 30 days of Customer disconnecting their Stripe account from Revive, or of termination of this DPA, Revive will:

• Cease all processing of personal data
• At Customer's choice (notified in writing before disconnection), either:
  • (a) Return all personal data to Customer in a commonly used, machine-readable format (CSV or JSON), or
  • (b) Delete all personal data from production systems

9.3 Backups. Personal data in automated backups will be deleted within the normal 7-day backup rotation cycle.

9.4 Legal retention. Revive may retain personal data to the extent and for the period required by applicable law, in which case Revive will continue to protect it under this DPA and process it only to the extent required by such law.

10. Personal Data Breach Notification

10.1 Revive will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer's data.

10.2 The notification will include, to the extent known at the time:

• The nature of the breach, categories and approximate number of Data Subjects affected, and categories and approximate number of personal data records concerned
• The name and contact details of the Revive contact point
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

10.3 Revive will provide Customer with updates as more information becomes available and will cooperate with Customer's investigation and any required notifications to supervisory authorities or Data Subjects.

10.4 Breach notification contact: nizzar@keeprevenue.com and, as a backup, nizzar@me.com.

11. Audits and Inspections

11.1 Revive will make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 GDPR.

11.2 Upon Customer's written request (no more than once per 12-month period, except in the case of a Personal Data Breach or regulatory requirement), Revive will complete a standard security questionnaire (such as CAIQ-Lite or SIG-Lite) within 30 days.

11.3 Customer may, upon 30 days' prior written notice, conduct a remote audit of Revive's compliance with this DPA, limited to the scope strictly necessary to assess compliance. Costs of the audit are borne by Customer unless the audit reveals a material breach of this DPA, in which case Revive bears the costs.

11.4 On-site audits are not available at this time; Customer may engage an independent third-party auditor instead.

12. Liability

12.1 Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Revive Terms of Service, except to the extent prohibited by applicable law.

12.2 Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, or (c) any other liability that cannot be excluded under applicable law.

13. Governing Law and Jurisdiction

13.1 This DPA is governed by the laws of the State of Wyoming, USA, without regard to conflict-of-law principles, except where superseded by mandatory GDPR, UK GDPR, or CCPA/CPRA provisions.

13.2 For Data Subjects resident in the EU/EEA, the SCCs are governed by the law of the EU Member State specified in the SCCs themselves.

13.3 Any disputes arising out of or in connection with this DPA will be subject to the exclusive jurisdiction of the courts of Sheridan County, Wyoming, USA, except where Customer or Data Subjects have non-waivable rights to bring proceedings in another jurisdiction under applicable consumer or data protection law.

14. Miscellaneous

14.1 Order of precedence. In the event of a conflict between (i) this DPA, (ii) the SCCs, and (iii) the Revive Terms of Service, the order of precedence is: (ii) → (i) → (iii).

14.2 Amendments. Revive may update this DPA to reflect changes in applicable law, sub-processor lists, or security measures. Material changes will be communicated to Customer at least 30 days in advance by email.

14.3 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA will remain in full force and effect.

14.4 Entire agreement on data protection. This DPA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the processing of personal data.

15. Acceptance

This DPA takes effect on the date Customer either (a) connects a Stripe account to Revive, or (b) countersigns a copy of this document and returns it to Revive.

For Quantum Branding LLC (Revive)

Name: Nizzar Ben Chekroune Title: Founder & Managing Member Date: 2026-04-09 Signature: _______________________________

For Customer

Company: _______________________________ Name: _______________________________ Title: _______________________________ Date: _______________________________ Signature: _______________________________

Annex I — Processing Details (populated per Customer)

Annex II — Technical and Organizational Measures

See Section 5 of this DPA.

Annex III — Sub-processor List

See Section 6 of this DPA. Current list maintained at: https://keeprevenue.com/legal/subprocessors