Legal
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the contract between WiserReview (Processor) and you, the merchant (Controller), pursuant to GDPR Article 28.
1. Parties
Data Controller
You (the Merchant)
The business or individual that has signed up for WiserReview and is directing the collection and processing of customer review data. Your identity is as registered in your WiserReview account.
Data Processor
Tatvam Cloud Solutions, Inc
Operating as WiserReview
Email: [email protected]
Website: wiserreview.com
This DPA is incorporated into and forms part of the WiserReview Terms & Conditions. By using WiserReview services, you agree to this DPA. Enterprise customers may request a countersigned copy by emailing [email protected].
2. Definitions
3. Details of Processing
| Subject Matter | Processing of personal data of the Controller's end customers for the purpose of review collection, management, and display. |
| Duration | For the duration of the Controller's active WiserReview subscription, and until data is deleted per Section 10 of this DPA. |
| Nature of Processing | Collection, storage, retrieval, display, organization, structuring, alteration, querying, transmission, erasure, and destruction of personal data. |
| Purpose | To provide the WiserReview review management platform as described in the Terms & Conditions. |
| Categories of Data | Reviewer name, email address, review text, star rating, photos/videos, IP address, order references (order ID, product name, purchase date), and platform-specific identifiers. |
| Categories of Data Subjects | End consumers (shoppers) who purchase from the Controller's store and submit reviews or whose data is shared via platform integrations. |
4. Obligations of the Processor (WiserReview)
WiserReview, as Data Processor, shall:
- 1Process Personal Data only on documented instructions from the Controller (i.e., to deliver the WiserReview service as described in the Terms & Conditions).
- 2Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
- 3Implement appropriate technical and organisational security measures as described in Section 7 of this DPA.
- 4Assist the Controller in responding to Data Subject rights requests (access, rectification, deletion, portability, objection, restriction) within applicable timeframes.
- 5Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach affecting the Controller's data.
- 6Provide the Controller with all information necessary to demonstrate compliance with GDPR Article 28, and cooperate with audits or inspections conducted by the Controller or a mandated auditor (see Section 9).
- 7Engage Sub-Processors only as listed in Section 6, and impose equivalent data protection obligations on them.
- 8Delete or return all Personal Data to the Controller upon termination, as per Section 10.
- 9Not process Personal Data for any purpose other than delivery of the services.
- 10Notify the Controller if it believes any instruction infringes applicable data protection law.
Our full breach notification and incident response procedure is documented at /security/incident-response.
5. Obligations of the Controller (Merchant)
You, as Data Controller, shall:
- 1Ensure you have a lawful basis (e.g., legitimate interest, consent, contractual necessity) to share your customers' personal data with WiserReview.
- 2Inform your end customers about the use of WiserReview for review management in your privacy policy and any required consent flows.
- 3Give documented and lawful instructions to WiserReview regarding the processing of Personal Data.
- 4Ensure that the personal data you share with WiserReview is accurate and relevant.
- 5Promptly inform WiserReview of any Data Subject rights requests that affect data held by WiserReview.
- 6Accept the use of Sub-Processors listed in Section 6 and any updates notified by WiserReview.
6. Sub-Processors
WiserReview currently uses the following Sub-Processors. By accepting this DPA, you provide general authorisation to engage these Sub-Processors. WiserReview will notify you of any intended changes to Sub-Processors and provide an opportunity to object within 14 days.
| Sub-Processor | Purpose | Location | Compliance |
|---|---|---|---|
| Microsoft Azure | Hosting, compute, storage, message queuing | United States | SOC 2, ISO 27001, GDPR |
| MongoDB Atlas (MongoDB, Inc.) | Primary database | United States | SOC 2, ISO 27001, GDPR |
| Cloudflare, Inc. | CDN, WAF, DDoS protection | United States / Global | SOC 2, ISO 27001, GDPR |
| Amazon Web Services (SES/S3) | Email delivery and media file storage | United States | SOC 2, ISO 27001, GDPR |
| Azure Blob Storage (Microsoft) | Media file storage | United States | SOC 2, ISO 27001, GDPR |
| Azure Service Bus (Microsoft) | Message queuing for review request pipeline | United States | SOC 2, ISO 27001, GDPR |
| SendGrid (Twilio) | Transactional email (secondary) | United States | SOC 2, GDPR |
| Sentry (Functional Software, Inc.) | Application error monitoring and diagnostics | United States | SOC 2, GDPR |
| Chargebee Inc. | Billing and subscription management | United States | PCI DSS Level 1, SOC 2, GDPR |
| OpenAI, L.L.C. | AI text generation (review text only, no PII) | United States | SOC 2 |
7. Technical & Organisational Security Measures
WiserReview implements the following technical and organisational measures in accordance with GDPR Article 32:
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.2 or higher on all endpoints (API, dashboard, widget delivery, email) |
| Encryption at Rest | AES-256 encryption via MongoDB Atlas, Azure Blob Storage, and AWS S3 |
| Access Control | JWT token authentication, Role-Based Access Control (Admin/Editor/Viewer), bcrypt password hashing (cost factor 12) |
| Network Security | Cloudflare WAF with OWASP managed rulesets, L3/L4/L7 DDoS protection, MongoDB Atlas IP whitelisting |
| Multi-Tenant Isolation | Workspace-level logical data isolation; workspace ID enforced on all data queries |
| Container Isolation | Docker containers on Azure App Services; process-level isolation between services |
| CI/CD Security | All secrets stored in GitHub encrypted secrets vault; never in source code or logs |
| Monitoring | Real-time error monitoring (Sentry), Slack alerting, health-check endpoints, latency monitoring |
| Backup & Recovery | MongoDB Atlas continuous automated backups with point-in-time recovery; replica sets with automatic failover |
| Incident Response | Documented incident response plan with 72-hour breach notification commitment |
Full technical security documentation is available at wiserreview.com/security.
8. Data Subject Rights
WiserReview will assist the Controller in fulfilling Data Subject rights requests:
- • Access & Portability: Review data can be exported from the dashboard in CSV format.
- • Rectification: Merchants can edit review content via the dashboard.
- • Deletion (Erasure): Merchants can delete individual reviews or their entire account via the dashboard. Automated data deletion is supported through integration events from connected platforms.
- • Objection: Consumers can unsubscribe from review request emails at any time via unsubscribe links.
For Data Subject requests that require WiserReview action, contact [email protected]. We will respond within the required timeframe (no later than 30 days). For a full overview of data subject rights and how we support them, see Data Privacy & Protection §4.2.
9. Audit Rights
WiserReview shall provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA, including access to this publicly available security documentation. The Controller may, upon 30 days' written notice, request an audit of WiserReview's data processing activities. Audits shall be conducted during business hours, at the Controller's expense, and in a manner that does not disrupt WiserReview's operations. WiserReview may satisfy audit obligations by providing relevant third-party audit reports or certifications where available.
10. Return & Deletion of Data
Upon termination of the WiserReview subscription, or upon written request from the Controller, WiserReview shall:
- • Delete all Personal Data from primary databases within a reasonable timeframe (typically within 60 days of account closure).
- • Provide the Controller with the option to export all review data in CSV format prior to deletion.
- • Backup data may be retained for up to the MongoDB Atlas point-in-time recovery window before being fully purged.
- • CDN caches will be purged following account closure.
11. Cross-Border Data Transfers
Personal Data is processed primarily in the United States via Microsoft Azure infrastructure. For transfers of Personal Data from the EEA or UK to the United States, WiserReview and its Sub-Processors rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other appropriate transfer mechanisms under GDPR Chapter V. All major Sub-Processors (Azure, AWS, MongoDB Atlas, Cloudflare) maintain GDPR-compliant data transfer frameworks.
12. Governing Law
This DPA is governed by the laws of the State of Delaware, United States, except where superseded by applicable data protection law (including GDPR where applicable). Where GDPR applies, the relevant EU data protection regulations take precedence over this governing law clause.
13. Order of Precedence
In the event of any conflict between this DPA and the Terms & Conditions, this DPA shall prevail with respect to data processing matters. In the event of any conflict between this DPA and applicable data protection law, applicable law shall prevail.
Request a Countersigned DPA
Enterprise customers and organisations requiring a formally executed, countersigned DPA may request one by contacting us. We will return a countersigned copy within 10 business days.
Request Countersigned DPA →Questions about this DPA?
Tatvam Cloud Solutions, Inc (WiserReview)
[email protected]