Effective Date: December 1, 2024
Parties: This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Terms”) between Rizer Inc. (“Rizer”, “Processor”) and the customer (“Customer”, “Controller”).
By using the Services, you agree to this DPA, incorporated by reference into the Terms. Capitalized terms not defined here have the meaning in the Terms.
1) Purpose of this DPA
1.1 Purpose. This DPA governs Rizer’s Processing of Customer Personal Data on Customer’s behalf in connection with the Services.
1.2 Roles. For Customer CRM data, Customer is Controller/Business and Rizer is Processor/Service Provider. For website/marketing/support data that Rizer collects itself, Rizer acts as Controller (see Privacy Policy).
1.3 Definitions. “Applicable Data Protection Laws” includes GDPR (EU/UK), CPRA/CCPA and materially similar U.S. state privacy laws, and associated regulations/guidance. “Customer Personal Data” means Personal Data in Customer Data that Rizer Processes for Customer under the Terms.
2) Roles and Scope
2.1 Documented Instructions. Rizer Processes Customer Personal Data only on Customer’s documented instructions, including this DPA, the Terms, applicable orders, Customer admin/API settings, and as required by law.
2.2 Conflicting Legal Requirements. If law prevents compliance with an instruction, Rizer will (where legally permitted) notify Customer before Processing.
2.3 Transfers as Instruction. Customer authorizes international transfers as reasonably necessary to provide the Services and as described in Section 6 and Annex IV.
3) Personnel Confidentiality
3.1 Confidentiality. Rizer ensures persons authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations.
3.2 Need-to-Know Access. Access is limited to personnel with a legitimate need-to-know for the Services.
4) Security Measures
4.1 Technical & Organizational Measures. Rizer implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex II (Security Measures).
4.2 Updates. Measures may be updated from time to time provided the overall security level is not reduced.
5) Sub-Processors
5.1 Authorization. Customer authorizes Rizer to engage Sub-Processors to support the Services. The current list appears in Annex III and may be updated per this Section.
5.2 Flow-down & Responsibility. Rizer will contractually impose data-protection obligations no less protective than those in this DPA on Sub-Processors and remains fully liable for their performance vis-à-vis Customer.
5.3 Notice & Objection. Rizer will provide at least 30 days’ advance notice of material Sub-Processor changes (e.g., by email, in-product, or web page). Customer may object on reasonable grounds; the parties will discuss in good faith. If unresolved, Customer may terminate the affected Service according to the Terms.
5.4 Deletion by Sub-Processors. On termination/expiry, Rizer will instruct Sub-Processors to delete/return Customer Personal Data consistent with Section 11.
6) International Transfers
6.1 Safeguards. Rizer and its Sub-Processors will use recognized transfer safeguards (e.g., EU SCCs, UK Addendum, Swiss Add-On, and/or EU-US/UK-US/Swiss-US Data Privacy Framework) as applicable and described in Annex IV.
6.2 Transfer Impact Assessments (TIAs). Where required, Rizer conducts TIAs (or equivalent) and can provide a high-level summary of safeguards under confidentiality upon reasonable request.
6.3 Precedence. For transfers under SCCs/UK Addendum, the governing law/supervisory authority selections in those instruments control for those transfers.
7) Assistance with Data Subject Rights
7.1 Data Subject Requests. Taking into account the nature of Processing, Rizer will assist Customer by appropriate technical and organizational measures, insofar as possible, for Customer to meet obligations to respond to requests under Applicable Data Protection Laws.
7.2 GDPR Arts. 32–36 / U.S. Analogs. Rizer will assist Customer with security, breach notification, DPIAs, and consultations with authorities, considering the nature of Processing and information available to Rizer.
7.3 Regulatory Cooperation. Rizer will reasonably cooperate with competent supervisory authorities where required by law.
8) Termination, Data Return & Deletion
8.1 Timing. Rizer will notify Customer of a Personal Data Breach without undue delay and no later than 72 hours after becoming aware.
8.2 Content. Notifications will include available information such as incident nature, categories/approximate numbers of data subjects and records, likely consequences, and measures taken/proposed.
8.3 Investigation & Mitigation. Rizer will promptly investigate, mitigate, and keep Customer reasonably informed. Notifications are not an admission of fault.
9) Annexes (Downloadable PDFs)
The detailed legal terms are available as annexes:
- Annex I – Details of Processing
- Types of data, categories of data subjects, purposes.
- Download Annex I (PDF)
- Annex II – Security Measures
- Encryption, access controls, incident response, continuity.
- Download Annex II (PDF)
- Annex III – Sub-Processors
- Current list (OpenAI, Google Gemini, Anthropic Claude, Google Analytics, Sengrid).
- Download Annex III (PDF)
- Annex IV – Cross-Border Safeguards
- Transfer mechanisms and safeguards.
- Download Annex IV (PDF)
10) Execution / Binding Clause
10.1 Documentation & Reports. Upon request (no more than once every 12 months, unless following a material incident or regulator request), Rizer will make available summary security documentation, relevant third-party summaries (e.g., most recent external pen-test summary; SOC 2/ISO reports if available), and reasonable responses to security/privacy questionnaires.
10.2 Audit. If the above is insufficient, Customer may conduct a reasonable remote or on-site audit on 30 days’ prior written notice, during business hours, in a manner that does not disrupt operations and subject to confidentiality/safety requirements.
10.3 Costs & Remediation. Audits are at Customer’s expense; however, if an audit identifies a material non-compliance attributable to Rizer, Rizer will remediate and reimburse reasonable audit costs for the portion confirming such material non-compliance.
10.4 Scope Limits. Audits must be reasonable in scope, avoid exposure of third-party confidential information, and not compromise the security or availability of the Services.
11) Return & Deletion; U.S. Service-Provider Restrictions; Precedence, Changes & Liability
11.1 Export, Return & Deletion. During the term and for 30 days after termination, Customer may export Customer Data (CSV/JSON/API). After the export window, Rizer will delete Customer Personal Data from production systems and instruct Sub-Processors to do the same, unless retention is legally required. Standard immutable backups roll off on normal cycles; access is restricted. Upon request, Rizer will confirm deletion in writing. Rizer may retain and use de-identified/aggregated data that cannot reasonably identify an individual or Customer.
11.2 U.S. State Service-Provider/Processor Restrictions. For Customer Personal Data subject to CPRA/CCPA and similar U.S. state privacy laws, Rizer acts as a Service Provider/Processor and will: not Sell/Share Customer Personal Data; not retain/use/disclose it outside the direct business relationship or for purposes other than providing the Services; not combine it with other personal information except as permitted (e.g., security/incident detection, legal compliance, or internal improvement that does not build profiles for non-Service purposes); flow-down these restrictions to Sub-Processors; and assist with deletion/correction/access/opt-out obligations.
11.3 Order of Precedence & Governing Law. In case of conflict between this DPA and the Terms, this DPA controls for Processing of Customer Personal Data. Governing law/venue follow the Terms, except that transfer instruments (e.g., SCCs) control for those transfers.
11.4 Changes. Rizer may modify this DPA consistent with the Terms and applicable law; material changes will be notified in advance as described in the Terms.
11.5 Liability (DPA-Specific). To the maximum extent permitted by law: (a) neither party is liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or lost profits, revenue, or goodwill, or regulatory fines; and (b) Rizer’s aggregate liability arising from or related to this DPA is limited to the greater of (i) the fees paid by Customer to Rizer for the Services in the 12 months preceding the event giving rise to the claim, or (ii) US$100. The foregoing applies regardless of the form of action and even if a party was advised of the possibility of such damages. Rizer remains fully responsible for its Sub-Processors vis-à-vis Customer as set out in Section 5, subject to this cap.