360REV — Data Processing Addendum (Template)

Document version: 2026-05-11.1

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and 360REV, Inc. ("Processor"). It governs how 360REV processes personal data on your behalf.

1. Definitions

Capitalized terms have the meaning given in the GDPR (Regulation (EU) 2016/679) and CCPA (California Civil Code §1798.100 et seq.). "Personal Data" means data relating to an identified or identifiable natural person.

2. Roles

You are the Controller of Personal Data you submit to the Service. 360REV is the Processor acting on your documented instructions.

3. Subject matter, duration, nature, and purpose

• Subject matter: processing necessary to deliver the Service
• Duration: the term of your subscription
• Nature: storage, retrieval, analysis, AI orchestration, delivery to integrations you authorize
• Purpose: performing the contract between you and 360REV

4. Categories of data + data subjects

• Account holders (you + your team members)
• Contacts and leads in your CRM
• Customers of yours that you manage in the platform
• Recipients of campaigns you send

5. Processor obligations

• Process Personal Data only on documented instructions from Controller
• Ensure persons authorized to process are bound by confidentiality
• Implement appropriate technical and organizational measures (Article 32 GDPR) — TLS 1.3 in transit, AES-256 at rest, OWASP-aligned application security, audit logging
• Assist Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
• Notify Controller of any Personal Data breach within 72 hours of becoming aware
• Assist with DPIAs and prior consultation with supervisory authorities as required
• Delete or return all Personal Data at end of services per your instructions

6. Sub-processors

Controller authorizes 360REV to engage the sub-processors listed at /legal/sub-processors. 360REV will notify Controller of material changes at least 30 days in advance.

7. International transfers

Where 360REV transfers Personal Data outside the EEA/UK, it does so under the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum, and equivalent safeguards.

8. Audit

360REV will make available to Controller all information necessary to demonstrate compliance with this DPA, and will allow audits, including inspections, conducted by Controller or another auditor mandated by Controller, on reasonable notice (typically once per twelve-month period unless a Personal Data breach has occurred).

9. Records

360REV maintains a Record of Processing Activities (ROPA) per Article 30 GDPR. A redacted summary is available on request.

10. Liability

Liability under this DPA is subject to the limitations in the main agreement.

11. Term + termination

This DPA is in effect for the duration of the Service term. Provisions that by their nature should survive termination (confidentiality, indemnity, post-termination data return/deletion) will so survive.

12. Signing

For an executed counterpart, email legal@360rev.com.

This document is a working template pending counsel review and will be replaced before general availability.